From 2d2ec450296d22f2829873344ab8f78958a5f1a8 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:19:36 +0000 Subject: [PATCH 01/10] Modify base ECS mappings to include .security where possible, as well as custom analyzer definition --- .../templates/component/ecs/agent.json | 90 +- .../templates/component/ecs/aws.json | 736 ++++- .../templates/component/ecs/azure.json | 952 +++++- .../templates/component/ecs/base.json | 50 +- .../templates/component/ecs/cef.json | 1224 +++++++- .../templates/component/ecs/checkpoint.json | 2704 +++++++++++++++-- .../templates/component/ecs/cisco.json | 848 +++++- .../templates/component/ecs/client.json | 249 +- .../templates/component/ecs/cloud.json | 130 +- .../templates/component/ecs/container.json | 82 +- .../templates/component/ecs/cyberark.json | 544 +++- .../templates/component/ecs/data_stream.json | 42 +- .../templates/component/ecs/destination.json | 249 +- .../templates/component/ecs/dll.json | 194 +- .../templates/component/ecs/dns.json | 162 +- .../templates/component/ecs/ecs.json | 50 +- .../component/ecs/elasticsearch.json | 50 +- .../templates/component/ecs/error.json | 70 +- .../templates/component/ecs/event.json | 178 +- .../templates/component/ecs/file.json | 612 +++- .../templates/component/ecs/fortinet.json | 2464 +++++++++++++-- .../templates/component/ecs/gcp.json | 368 ++- .../component/ecs/google_workspace.json | 1000 +++++- .../templates/component/ecs/group.json | 66 +- .../templates/component/ecs/host.json | 302 +- .../templates/component/ecs/http.json | 98 +- .../templates/component/ecs/juniper.json | 600 +++- .../templates/component/ecs/kibana.json | 136 +- .../templates/component/ecs/log.json | 106 +- .../templates/component/ecs/logstash.json | 112 +- .../templates/component/ecs/microsoft.json | 456 ++- .../templates/component/ecs/misp.json | 688 ++++- .../templates/component/ecs/netflow.json | 416 ++- .../templates/component/ecs/network.json | 138 +- .../templates/component/ecs/o365.json | 736 ++++- .../templates/component/ecs/observer.json | 332 +- .../templates/component/ecs/okta.json | 408 ++- .../templates/component/ecs/orchestrator.json | 114 +- .../templates/component/ecs/organization.json | 55 +- .../templates/component/ecs/package.json | 130 +- .../templates/component/ecs/process.json | 698 ++++- .../templates/component/ecs/redis.json | 72 +- .../templates/component/ecs/registry.json | 90 +- .../templates/component/ecs/related.json | 66 +- .../templates/component/ecs/rule.json | 122 +- .../templates/component/ecs/server.json | 249 +- .../templates/component/ecs/service.json | 114 +- .../templates/component/ecs/snyk.json | 184 +- .../templates/component/ecs/sophos.json | 1144 ++++++- .../templates/component/ecs/source.json | 249 +- .../templates/component/ecs/suricata.json | 584 +++- .../templates/component/ecs/syslog.json | 56 +- .../templates/component/ecs/threat.json | 2250 ++++++++++++-- .../templates/component/ecs/tls.json | 546 +++- .../templates/component/ecs/tracing.json | 66 +- .../templates/component/ecs/url.json | 130 +- .../templates/component/ecs/user.json | 338 ++- .../templates/component/ecs/user_agent.json | 121 +- .../component/ecs/vulnerability.json | 119 +- .../templates/component/ecs/winlog.json | 1112 ++++++- .../templates/component/ecs/zeek.json | 2496 +++++++++++++-- 61 files changed, 25351 insertions(+), 3396 deletions(-) diff --git a/salt/elasticsearch/templates/component/ecs/agent.json b/salt/elasticsearch/templates/component/ecs/agent.json index 4c7f8738e..4ee85974b 100644 --- a/salt/elasticsearch/templates/component/ecs/agent.json +++ b/salt/elasticsearch/templates/component/ecs/agent.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "agent": { @@ -12,33 +52,69 @@ "properties": { "original": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "ephemeral_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/aws.json b/salt/elasticsearch/templates/component/ecs/aws.json index ccea31e27..b9c9a5ffb 100644 --- a/salt/elasticsearch/templates/component/ecs/aws.json +++ b/salt/elasticsearch/templates/component/ecs/aws.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "aws": { @@ -12,9 +52,9 @@ "properties": { "additional_eventdata": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -22,7 +62,13 @@ }, "api_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "console_login": { "properties": { @@ -30,7 +76,13 @@ "properties": { "login_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mfa_used": { "type": "boolean" @@ -58,27 +110,63 @@ }, "previous_hash_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "previous_s3_bucket": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_fingerprint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "s3_bucket": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "s3_object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "start_time": { "type": "date" @@ -87,23 +175,53 @@ }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "error_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "flattened": { "properties": { @@ -126,25 +244,49 @@ }, "management_event": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "read_only": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "recipient_account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_parameters": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -154,23 +296,41 @@ "properties": { "account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "response_elements": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -178,9 +338,9 @@ }, "service_event_details": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -188,21 +348,45 @@ }, "shared_event_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_identity": { "properties": { "access_key_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "invoked_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_context": { "properties": { @@ -211,25 +395,55 @@ }, "mfa_authenticated": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_issuer": { "properties": { "account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "principal_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -237,13 +451,25 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "vpc_endpoint_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -251,7 +477,13 @@ "properties": { "message": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -259,7 +491,13 @@ "properties": { "ip_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -267,7 +505,13 @@ "properties": { "action_executed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "backend": { "properties": { @@ -277,7 +521,13 @@ "properties": { "status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -285,11 +535,23 @@ }, "ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -304,21 +566,45 @@ "properties": { "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_time": { "properties": { @@ -331,33 +617,75 @@ "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "incoming_tls_alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "listener": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "matched_rule_priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "redirect_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_processing_time": { "properties": { @@ -375,27 +703,57 @@ }, "ssl_cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssl_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target_group": { "properties": { "arn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "target_port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target_status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tls_handshake_time": { "properties": { @@ -406,15 +764,33 @@ }, "tls_named_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trace_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -422,75 +798,165 @@ "properties": { "authentication_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bucket": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bucket_owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bytes_sent": { "type": "long" }, "cipher_suite": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host_header": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_status": { "type": "long" }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "object_size": { "type": "long" }, "operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referrer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "remote_ip": { "type": "ip" }, "request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requester": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tls_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "total_time": { "type": "long" @@ -500,11 +966,23 @@ }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -512,23 +990,53 @@ "properties": { "account_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "instance_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "interface_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pkt_dstaddr": { "type": "ip" @@ -538,27 +1046,63 @@ }, "subnet_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_flags_array": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpc_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/azure.json b/salt/elasticsearch/templates/component/ecs/azure.json index 5e1acaae5..09259598b 100644 --- a/salt/elasticsearch/templates/component/ecs/azure.json +++ b/salt/elasticsearch/templates/component/ecs/azure.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "azure": { @@ -12,11 +52,23 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identity": { "properties": { @@ -24,39 +76,87 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "evidence": { "properties": { "principal_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "principal_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "role_assignment_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "role_assignment_scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "role_definition_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -71,23 +171,53 @@ "properties": { "fullname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "givenname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "schema": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "surname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -95,18 +225,36 @@ }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "properties": { "type": "flattened" }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -114,19 +262,43 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "properties": { "properties": { @@ -135,19 +307,43 @@ }, "activity_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "correlation_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "initiated_by": { "properties": { @@ -155,19 +351,43 @@ "properties": { "appId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "displayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "servicePrincipalId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "servicePrincipalName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -175,19 +395,43 @@ "properties": { "displayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ipAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "userPrincipalName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -195,19 +439,43 @@ }, "logged_by_service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target_resources": { "properties": { @@ -215,15 +483,33 @@ "properties": { "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ip_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "modified_properties": { "properties": { @@ -231,15 +517,33 @@ "properties": { "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -247,11 +551,23 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_principal_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -261,28 +577,58 @@ }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "consumer_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "correlation_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "enqueued_time": { "type": "date" }, "eventhub": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "offset": { "type": "long" @@ -294,58 +640,136 @@ "properties": { "ActivityId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Caller": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Cloud": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Environment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "EventTimeString": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ScaleUnit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ccpNamespace": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "properties": { "type": "flattened" }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -353,27 +777,63 @@ "properties": { "authorization_rule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "namespace": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -384,84 +844,186 @@ "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "properties": { "properties": { "app_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authentication_processing_details": { "type": "flattened" }, "authentication_requirement": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authentication_requirement_policies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "autonomous_system_number": { "type": "long" }, "client_app_used": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "conditional_access_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "correlation_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "created_at": { "type": "date" }, "cross_tenant_access_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "device_detail": { "properties": { "browser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "device_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operating_system": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trust_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -470,11 +1032,23 @@ }, "home_tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_interactive": { "type": "boolean" @@ -484,58 +1058,136 @@ }, "original_request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "processing_time_ms": { "type": "float" }, "resource_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resource_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resource_tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_detail": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_event_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_event_types_v2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_level_aggregated": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_level_during_signin": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service_principal_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service_principal_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sso_extension_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "properties": { @@ -546,55 +1198,127 @@ }, "token_issuer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "token_issuer_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_principal_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "result_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result_signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "subscription_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/base.json b/salt/elasticsearch/templates/component/ecs/base.json index f409ed95a..a56e6090a 100644 --- a/salt/elasticsearch/templates/component/ecs/base.json +++ b/salt/elasticsearch/templates/component/ecs/base.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "@timestamp": { @@ -17,9 +57,15 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/cef.json b/salt/elasticsearch/templates/component/ecs/cef.json index 376fbf26a..5481ecb41 100644 --- a/salt/elasticsearch/templates/component/ecs/cef.json +++ b/salt/elasticsearch/templates/component/ecs/cef.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "cef": { @@ -12,19 +52,43 @@ "properties": { "event_class_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -32,68 +96,152 @@ "properties": { "Reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentAddress": { "type": "ip" }, "agentDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentReceiptTime": { "type": "date" }, "agentTimeZone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentTranslatedAddress": { "type": "ip" }, "agentTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agentZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "applicationProtocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "baseEventCount": { "type": "long" @@ -106,54 +254,126 @@ }, "categoryBehavior": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categoryDeviceGroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categoryDeviceType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categoryObject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categoryOutcome": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categorySignificance": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categoryTechnique": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cp_app_risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cp_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "customerExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "customerURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationAddress": { "type": "ip" }, "destinationDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationGeoLatitude": { "type": "double" @@ -163,15 +383,33 @@ }, "destinationHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationPort": { "type": "long" @@ -181,11 +419,23 @@ }, "destinationProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationServiceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationTranslatedAddress": { "type": "ip" @@ -195,35 +445,83 @@ }, "destinationTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationUserPrivileges": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destinationZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceAction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceAddress": { "type": "ip" @@ -233,229 +531,487 @@ }, "deviceCustomDate1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomDate2": { "type": "date" }, "deviceCustomDate2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomFloatingPoint1": { "type": "double" }, "deviceCustomFloatingPoint1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomFloatingPoint2": { "type": "double" }, "deviceCustomFloatingPoint2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomFloatingPoint3": { "type": "double" }, "deviceCustomFloatingPoint3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomFloatingPoint4": { "type": "double" }, "deviceCustomFloatingPoint4Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomIPv6Address1": { "type": "ip" }, "deviceCustomIPv6Address1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomIPv6Address2": { "type": "ip" }, "deviceCustomIPv6Address2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomIPv6Address3": { "type": "ip" }, "deviceCustomIPv6Address3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomIPv6Address4": { "type": "ip" }, "deviceCustomIPv6Address4Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomNumber1": { "type": "long" }, "deviceCustomNumber1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomNumber2": { "type": "long" }, "deviceCustomNumber2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomNumber3": { "type": "long" }, "deviceCustomNumber3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString3Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString4": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString4Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString5Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString6": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceCustomString6Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceDirection": { "type": "long" }, "deviceDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceEventCategory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceExternalId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceFacility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceFlexNumber1": { "type": "long" }, "deviceFlexNumber1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceFlexNumber2": { "type": "long" }, "deviceFlexNumber2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceInboundInterface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceOutboundInterface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "devicePayloadId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceProcessId": { "type": "long" }, "deviceProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceReceiptTime": { "type": "date" }, "deviceTimeZone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceTranslatedAddress": { "type": "ip" }, "deviceTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "endTime": { "type": "date" @@ -465,210 +1021,480 @@ }, "eventOutcome": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "externalId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fileCreateTime": { "type": "date" }, "fileHash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fileId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fileModificationTime": { "type": "date" }, "filePath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filePermission": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fileSize": { "type": "long" }, "fileType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "flexDate1": { "type": "date" }, "flexDate1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "flexString1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "flexString1Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "flexString2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "flexString2Label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ifname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "inzone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "layer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "layer_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "logid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "loguid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "managerReceiptTime": { "type": "date" }, "match_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat_addtnl_rulenum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat_rulenum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldFileCreateTime": { "type": "date" }, "oldFileHash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldFileId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldFileModificationTime": { "type": "date" }, "oldFileName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldFilePath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldFilePermission": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldFileSize": { "type": "long" }, "oldFileType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "origin": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "originsicname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "outzone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent_rule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rawEvent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requestClientApplication": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requestContext": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requestCookies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requestMethod": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requestUrl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rule_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rule_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sequencenum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceAddress": { "type": "ip" }, "sourceDnsDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceGeoLatitude": { "type": "double" @@ -678,15 +1504,33 @@ }, "sourceHostName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceMacAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceNtDomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourcePort": { "type": "long" @@ -696,11 +1540,23 @@ }, "sourceProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceServiceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceTranslatedAddress": { "type": "ip" @@ -710,59 +1566,131 @@ }, "sourceTranslatedZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceTranslatedZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceUserPrivileges": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceZoneExternalID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceZoneURI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "startTime": { "type": "date" }, "transportProtocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "type": "long" }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/checkpoint.json b/salt/elasticsearch/templates/component/ecs/checkpoint.json index bb2f8f6de..0fda74ee3 100644 --- a/salt/elasticsearch/templates/component/ecs/checkpoint.json +++ b/salt/elasticsearch/templates/component/ecs/checkpoint.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "checkpoint": { @@ -13,276 +53,636 @@ }, "action_reason_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "additional_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "additional_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "additional_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "allocated_ports": { "type": "long" }, "analyzed_on": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "answer_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "anti_virus_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_id": { "type": "long" }, "app_package": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_properties": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_repackaged": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_sid_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_sig_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "appi_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "arrival_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attachments_num": { "type": "long" }, "attack_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "audit_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "auth_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authority_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authorization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bcc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "blade_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "broker_publisher": { "type": "ip" }, "browse_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "c_bytes": { "type": "long" }, "calc_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "capacity": { "type": "long" }, "capture_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "certificate_resource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "certificate_validation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cgnet": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "chunk_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_type_os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cluster_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "community": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "confidence_level": { "type": "long" }, "connection_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connectivity_level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connectivity_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "conns_amount": { "type": "long" }, "content_disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "content_length": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "content_risk": { "type": "long" }, "content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_num": { "type": "long" }, "cookie": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cookieI": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cookieR": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cp_message": { "type": "long" }, "cvpn_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cvpn_resource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data_type_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dce-rpc_interface_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "delivery_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "detected_on": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "developer_certificate_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "diameter_app_ID": { "type": "long" @@ -292,54 +692,126 @@ }, "diameter_msg_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_action_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_additional_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_categories": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_data_type_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_data_type_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_fingerprint_files_number": { "type": "long" }, "dlp_fingerprint_long_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_fingerprint_short_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_incident_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_recipients": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_related_incident_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_relevant_data_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_repository_directories_number": { "type": "long" @@ -349,7 +821,13 @@ }, "dlp_repository_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_repository_not_scanned_directories_percentage": { "type": "long" @@ -359,7 +837,13 @@ }, "dlp_repository_root_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_repository_scan_progress": { "type": "long" @@ -384,55 +868,133 @@ }, "dlp_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_template_score": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_transint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_violation_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_watermark_profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dlp_word_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dns_query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "drop_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dropped_file_hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dropped_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dropped_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dropped_file_verdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dropped_incoming": { "type": "long" @@ -448,204 +1010,492 @@ }, "dst_country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_phone_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstkeyid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duplicate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "elapsed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_content": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_control": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_control_analysis": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_headers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_queue_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_queue_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_recipients_num": { "type": "long" }, "email_session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_spam_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_spool_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "emulated_on": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "encryption_failure": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "end_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "end_user_firewall_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_access_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_associated_policies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_noncompliance_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_rule_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esod_scan_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_count": { "type": "long" }, "expire_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extension_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extracted_file_hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extracted_file_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extracted_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extracted_file_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extracted_file_verdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "failure_impact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "failure_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "files_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "first_hit_time": { "type": "long" }, "frequency": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fs-proto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ftp_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fw_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fw_subproduct": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hide_ip": { "type": "ip" @@ -655,53 +1505,119 @@ }, "host_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_location": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "https_inspection_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "https_inspection_rule_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "https_inspection_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "https_validation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icap_more_info": { "type": "long" }, "icap_server_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icap_server_service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icap_service_id": { "type": "long" }, "icmp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_code": { "type": "long" @@ -714,67 +1630,163 @@ }, "identity_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ike": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ike_ids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "impacted_files": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incident_extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicator_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicator_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicator_reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicator_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "information": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "inspection_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "inspection_item": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "inspection_profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "inspection_settings_log": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "installed_products": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "int_end": { "type": "long" @@ -784,15 +1796,33 @@ }, "integrity_av_invoke_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "interface_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "internal_error": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "invalid_file_size": { "type": "long" @@ -802,22 +1832,46 @@ }, "isp_link": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_hit_time": { "type": "long" }, "last_rematch_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "layer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "layer_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "limit_applied": { "type": "long" @@ -827,7 +1881,13 @@ }, "link_probing_status_update": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "links_num": { "type": "long" @@ -840,19 +1900,43 @@ }, "logid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "long_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "machine": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "malware_family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "match_fk": { "type": "long" @@ -862,7 +1946,13 @@ }, "matched_file": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "matched_file_percentage": { "type": "long" @@ -872,109 +1962,259 @@ }, "media_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message_size": { "type": "long" }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "methods": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mirror_and_decrypt_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_collection": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_command_and_control": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_credential_access": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_defense_evasion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_discovery": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_execution": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_exfiltration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_impact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_initial_access": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_lateral_movement": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_persistence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_privilege_escalation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "monitor_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "msgid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat46": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat_addtnl_rulenum": { "type": "long" }, "nat_exhausted_pool": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat_rulenum": { "type": "long" @@ -984,77 +2224,179 @@ }, "next_hop_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "next_scheduled_scan_date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "number_of_errors": { "type": "long" }, "objecttable": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "objecttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "observable_comment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "observable_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "observable_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "origin_sic_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_queue_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "outgoing_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "packet_amount": { "type": "long" }, "packet_capture_unique_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent_file_hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent_file_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent_process_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent_rule": { "type": "long" @@ -1064,57 +2406,129 @@ }, "peer_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "peer_ip_probing_status_update": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "performance_impact": { "type": "long" }, "policy_mgmt": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ports_usage": { "type": "long" }, "ppp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "precise_error": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "process_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "properties": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protection_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "proxy_machine_name": { "type": "long" @@ -1124,58 +2538,136 @@ }, "proxy_user_dn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "proxy_user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "question_rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referrer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referrer_parent_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referrer_self_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registered_ip-phones": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reject_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reject_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rematch_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "remediated_files": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reply_status": { "type": "long" }, "risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rpc_prog": { "type": "long" @@ -1185,14 +2677,26 @@ }, "rule_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rulebase_id": { "type": "long" }, "scan_direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scan_hosts_day": { "type": "long" @@ -1205,184 +2709,442 @@ }, "scan_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scan_mail": { "type": "long" }, "scan_result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scan_results": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scrub_activity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scrub_download_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scrub_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scrub_total_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scrubbed_content": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sctp_association_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sctp_error": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scv_message_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scv_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "securexl_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sensor_mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "short_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sig_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "similar_communication": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "similar_hashes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "similar_strings": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "similiar_iocs": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sip_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "site_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "special_properties": { "type": "long" }, "specific_data_type_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "speed": { "type": "long" }, "spyware_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "spyware_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "spyware_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_phone_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_user_dn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srckeyid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status_update": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub_policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub_policy_uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subs_exp": { "type": "date" @@ -1392,65 +3154,149 @@ }, "summary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "suppressed_logs": { "type": "long" }, "sync": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sys_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_end_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_packet_out_of_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "te_verdict_determined_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "termination_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ticket_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tls_server_host_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_archive_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "total_attachments": { "type": "long" }, "triggered_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trusted_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "unique_detected_day": { "type": "long" @@ -1463,109 +3309,259 @@ }, "update_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vendor_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "verdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "via": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virus_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_attach_action_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_attach_sz": { "type": "long" }, "voip_call_dir": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_call_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_call_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_call_term_time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_config": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_duration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_est_codec": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_exp": { "type": "long" }, "voip_from_user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_log_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_media_codec": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_media_ipp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_media_port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_reason_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_reg_int": { "type": "long" @@ -1581,31 +3577,73 @@ }, "voip_reg_user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_reject_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "voip_to_user_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpn_feature_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "watermark": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "web_server_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "word_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/cisco.json b/salt/elasticsearch/templates/component/ecs/cisco.json index 3800b79fc..b64427beb 100644 --- a/salt/elasticsearch/templates/component/ecs/cisco.json +++ b/salt/elasticsearch/templates/component/ecs/cisco.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "cisco": { @@ -17,11 +57,23 @@ "properties": { "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "short_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -29,7 +81,13 @@ "properties": { "arguments": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -40,7 +98,13 @@ }, "connector_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "external_ip": { "type": "ip" @@ -52,31 +116,67 @@ }, "connector_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "detection": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "detection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "error": { "properties": { "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "event_type_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file": { "properties": { @@ -84,21 +184,45 @@ "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identity": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -108,34 +232,70 @@ "properties": { "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attacked_module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "base_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicators": { "type": "flattened" }, "suspicious_files": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "parent": { "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -143,27 +303,57 @@ }, "group_guids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_tactics": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_techniques": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "network_info": { "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nfm": { "properties": { "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -171,13 +361,25 @@ "properties": { "disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identify": { "properties": { "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -185,11 +387,23 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -201,11 +415,23 @@ "properties": { "cve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -216,7 +442,13 @@ }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "malicious_detections": { "type": "long" @@ -245,34 +477,76 @@ }, "incident_hunt_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incident_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incident_remediation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incident_report_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incident_start_time": { "type": "date" }, "incident_summary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incident_title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tactics": { "type": "flattened" @@ -299,57 +573,135 @@ "properties": { "avg_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "configured_avg_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "configured_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cumulative_count": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "current_rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "object": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "command_line_arguments": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dap_records": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_code": { "type": "short" @@ -359,7 +711,13 @@ }, "mapped_destination_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mapped_destination_ip": { "type": "ip" @@ -369,7 +727,13 @@ }, "mapped_source_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mapped_source_ip": { "type": "ip" @@ -379,65 +743,149 @@ }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "privilege": { "properties": { "new": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "old": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "suffix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "termination_initiator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "termination_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threat_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threat_level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tunnel_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "webvpn": { "properties": { "group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -447,23 +895,53 @@ "properties": { "connection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dap_records": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_code": { "type": "short" @@ -473,7 +951,13 @@ }, "mapped_destination_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mapped_destination_ip": { "type": "ip" @@ -483,7 +967,13 @@ }, "mapped_source_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mapped_source_ip": { "type": "ip" @@ -493,48 +983,108 @@ }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "security": { "type": "object" }, "source_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "suffix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "termination_initiator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "termination_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threat_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threat_level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "webvpn": { "properties": { "group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -544,11 +1094,23 @@ "properties": { "access_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "facility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -556,59 +1118,143 @@ "properties": { "amp_disposition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "amp_malware_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "amp_score": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "av_detections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "blocked_categories": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "categories": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "datacenter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identities": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identity_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "origin_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "policy_identity_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "puas": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha_sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/client.json b/salt/elasticsearch/templates/component/ecs/client.json index 7f5a2169e..72f80f6ae 100644 --- a/salt/elasticsearch/templates/component/ecs/client.json +++ b/salt/elasticsearch/templates/component/ecs/client.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "client": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "as": { "properties": { @@ -21,8 +67,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -37,52 +84,118 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -91,7 +204,13 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat": { "properties": { @@ -111,30 +230,61 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -144,30 +294,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -175,7 +356,13 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -184,4 +371,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/cloud.json b/salt/elasticsearch/templates/component/ecs/cloud.json index f41ab4a8f..cebdadfed 100644 --- a/salt/elasticsearch/templates/component/ecs/cloud.json +++ b/salt/elasticsearch/templates/component/ecs/cloud.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "cloud": { @@ -12,27 +52,57 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "availability_zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "instance": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -40,7 +110,13 @@ "properties": { "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -48,27 +124,57 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -77,4 +183,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/container.json b/salt/elasticsearch/templates/component/ecs/container.json index bd5ce8113..2541c11ad 100644 --- a/salt/elasticsearch/templates/component/ecs/container.json +++ b/salt/elasticsearch/templates/component/ecs/container.json @@ -4,23 +4,81 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "container": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "image": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -29,15 +87,27 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "runtime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/cyberark.json b/salt/elasticsearch/templates/component/ecs/cyberark.json index 20e90f6ea..a1a109fcf 100644 --- a/salt/elasticsearch/templates/component/ecs/cyberark.json +++ b/salt/elasticsearch/templates/component/ecs/cyberark.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "cyberarkpas": { @@ -12,241 +52,565 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ca_properties": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpm_disabled": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpm_error_details": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpm_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creation_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "customer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "database": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "device_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dual_account_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "in_process": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "index": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_fail_date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_success_change": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_success_reconciliation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_success_verification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_task": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "logon_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "other": { "type": "flattened" }, "policy_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "port": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "privcloud": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reset_immediately": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "retries_count": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sequence_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_dn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extra_details": { "properties": { "ad_process_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ad_process_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_component_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "logon_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "managed_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "other": { "type": "flattened" }, "process_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "process_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "psmid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_duration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "file": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gateway_station": { "type": "ip" }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "iso_timestamp": { "type": "date" }, "issuer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "doc_values": false, "ignore_above": 4096, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pvwa_details": { "type": "flattened" @@ -255,45 +619,99 @@ "doc_values": false, "ignore_above": 4096, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reason": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rfc5424": { "type": "boolean" }, "safe": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "station": { "type": "ip" }, "target_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/data_stream.json b/salt/elasticsearch/templates/component/ecs/data_stream.json index dfbfe3f51..3ee5c9e13 100644 --- a/salt/elasticsearch/templates/component/ecs/data_stream.json +++ b/salt/elasticsearch/templates/component/ecs/data_stream.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "data_stream": { @@ -22,4 +62,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/destination.json b/salt/elasticsearch/templates/component/ecs/destination.json index 4fac31200..151ccc2cb 100644 --- a/salt/elasticsearch/templates/component/ecs/destination.json +++ b/salt/elasticsearch/templates/component/ecs/destination.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "destination": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "as": { "properties": { @@ -21,8 +67,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -37,52 +84,118 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -91,7 +204,13 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat": { "properties": { @@ -111,30 +230,61 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -144,30 +294,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -175,7 +356,13 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -184,4 +371,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/dll.json b/salt/elasticsearch/templates/component/ecs/dll.json index 84667a6b9..f4db40815 100644 --- a/salt/elasticsearch/templates/component/ecs/dll.json +++ b/salt/elasticsearch/templates/component/ecs/dll.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "dll": { @@ -12,26 +52,56 @@ "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -48,63 +118,147 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pe": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -113,4 +267,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/dns.json b/salt/elasticsearch/templates/component/ecs/dns.json index 321a061f5..d3963d2dd 100644 --- a/salt/elasticsearch/templates/component/ecs/dns.json +++ b/salt/elasticsearch/templates/component/ecs/dns.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "dns": { @@ -12,63 +52,141 @@ "properties": { "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ttl": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "object" }, "header_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "op_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "question": { "properties": { "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -77,15 +195,27 @@ }, "response_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/ecs.json b/salt/elasticsearch/templates/component/ecs/ecs.json index 9abfcf61c..d7a5683b2 100644 --- a/salt/elasticsearch/templates/component/ecs/ecs.json +++ b/salt/elasticsearch/templates/component/ecs/ecs.json @@ -4,17 +4,63 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "ecs": { "properties": { "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/elasticsearch.json b/salt/elasticsearch/templates/component/ecs/elasticsearch.json index f409ed95a..a56e6090a 100644 --- a/salt/elasticsearch/templates/component/ecs/elasticsearch.json +++ b/salt/elasticsearch/templates/component/ecs/elasticsearch.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "@timestamp": { @@ -17,9 +57,15 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/error.json b/salt/elasticsearch/templates/component/ecs/error.json index c33f580ab..12a3c8587 100644 --- a/salt/elasticsearch/templates/component/ecs/error.json +++ b/salt/elasticsearch/templates/component/ecs/error.json @@ -4,23 +4,79 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "error": { "properties": { "code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message": { "type": "match_only_text" }, "stack_trace": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -29,11 +85,17 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/event.json b/salt/elasticsearch/templates/component/ecs/event.json index 0d43760a2..b6932c390 100644 --- a/salt/elasticsearch/templates/component/ecs/event.json +++ b/salt/elasticsearch/templates/component/ecs/event.json @@ -4,32 +4,102 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "event": { "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "agent_id_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "created": { "type": "date" }, "dataset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duration": { "type": "long" @@ -39,43 +109,97 @@ }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ingested": { "type": "date" }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original": { "doc_values": false, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "outcome": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "risk_score": { "type": "float" @@ -94,19 +218,37 @@ }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/file.json b/salt/elasticsearch/templates/component/ecs/file.json index 6242cc324..a328d8a08 100644 --- a/salt/elasticsearch/templates/component/ecs/file.json +++ b/salt/elasticsearch/templates/component/ecs/file.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "file": { @@ -13,32 +53,68 @@ }, "attributes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -59,29 +135,65 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "directory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "drive_letter": { "ignore_above": 1, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "elf": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creation_date": { "type": "date" @@ -93,34 +205,76 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -137,22 +291,46 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_address": { "type": "long" @@ -167,92 +345,201 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "inode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mtime": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -262,31 +549,73 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -295,8 +624,9 @@ }, "target_path": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -304,47 +634,107 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -356,11 +746,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -372,47 +774,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -421,4 +883,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/fortinet.json b/salt/elasticsearch/templates/component/ecs/fortinet.json index 1f9b7496d..6762102c0 100644 --- a/salt/elasticsearch/templates/component/ecs/fortinet.json +++ b/salt/elasticsearch/templates/component/ecs/fortinet.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "fortinet": { @@ -14,7 +54,13 @@ "properties": { "crc32": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -24,103 +70,235 @@ "properties": { "acct_stat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "acktime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "act": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "activity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "addr": { "type": "ip" }, "addr_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "addrgrp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "adgroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "admin": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "age": { "type": "long" }, "agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "alarmid": { "type": "long" }, "alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "analyticscksum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "analyticssubmit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app-type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "appact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "appid": { "type": "long" }, "applist": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "apprisk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "apscan": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "apsn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "apstatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "aptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "assigned": { "type": "ip" @@ -130,19 +308,43 @@ }, "attachment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attack": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attackcontext": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attackcontextid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attackid": { "type": "long" @@ -152,107 +354,245 @@ }, "auditscore": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "audittime": { "type": "long" }, "authgrp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authserver": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bandwidth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "banned_rule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "banned_src": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "banword": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "botnetdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "botnetip": { "type": "ip" }, "bssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "call_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "carrier_ep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cat": { "type": "long" }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cdrcontent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "centralnatid": { "type": "long" }, "cert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cert-type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "certhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cfgattr": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cfgobj": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cfgpath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cfgtid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cfgtxpower": { "type": "long" @@ -262,73 +602,169 @@ }, "channeltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "chassisid": { "type": "long" }, "checksum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "chgheaders": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cldobjid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_addr": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cloudaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "clouduser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "column": { "type": "long" }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "community": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "configcountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "conserve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "constraint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "contentdisarmed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "contenttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cookies": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "count": { "type": "long" @@ -380,76 +816,172 @@ }, "crl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "crlevel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "crscore": { "type": "long" }, "cveid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "daemon": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "datarange": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ddnsserver": { "type": "ip" }, "desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "detectionmethod": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "devcategory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "devintfname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "devtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dhcp_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dintf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "disk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "disklograte": { "type": "long" }, "dlpextra": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "docsource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domainctrlauthstate": { "type": "long" @@ -459,144 +991,324 @@ }, "domainctrldomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domainctrlip": { "type": "ip" }, "domainctrlname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domainctrlprotocoltype": { "type": "long" }, "domainctrlusername": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domainfilteridx": { "type": "long" }, "domainfilterlist": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ds": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_int": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstcountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstdevcategory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstdevtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstfamily": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dsthwvendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dsthwversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstinetsvc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstintfrole": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstosname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstosversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstserver": { "type": "long" }, "dstssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstswversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstunauthusersource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstuuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "eapolcnt": { "type": "long" }, "eapoltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "encrypt": { "type": "long" }, "encryption": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "epoch": { "type": "long" }, "espauth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "esptransform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "eventtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exch": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exchange": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "expectedsignature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "expiry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fams_pause": { "type": "long" @@ -606,79 +1318,175 @@ }, "fctemssn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fctuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "field": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filefilter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filehashsrc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filtercat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filteridx": { "type": "long" }, "filtername": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filtertype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fortiguardresp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "forwardedfor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fqdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "frametype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "freediskstorage": { "type": "long" }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "from_vcluster": { "type": "long" }, "fsaverdict": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fwserver_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gateway": { "type": "ip" }, "green": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "groupid": { "type": "long" @@ -688,53 +1496,119 @@ }, "ha_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ha_role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "handshake": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hbdn_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "highcount": { "type": "long" }, "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "iaid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmpcode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmpid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identifier": { "type": "long" }, "in_spi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incidentserialno": { "type": "long" @@ -747,42 +1621,96 @@ }, "informationsource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "init": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "initiator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "intf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "invalidmac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ip": { "type": "ip" }, "iptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "keyword": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "lanin": { "type": "long" @@ -795,14 +1723,26 @@ }, "license_limit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "limit": { "type": "long" }, "line": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "live": { "type": "long" @@ -812,37 +1752,79 @@ }, "log": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "login": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "lowcount": { "type": "long" }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "malform_data": { "type": "long" }, "malform_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "manuf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "masterdstmac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mastersrcmac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mediumcount": { "type": "long" @@ -852,65 +1834,149 @@ }, "meshmode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mgmtcnt": { "type": "long" }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "monitor-name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "monitor-type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mpsk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "msgproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mtu": { "type": "long" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "netid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "new_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "newchannel": { "type": "long" @@ -926,18 +1992,36 @@ }, "nf_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "noise": { "type": "long" }, "old_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldchannel": { "type": "long" @@ -950,76 +2034,172 @@ }, "oldsn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldwprof": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "onwire": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "opercountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "opertxpower": { "type": "long" }, "osname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "osversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "out_spi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "outintf": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "passedcount": { "type": "long" }, "passwd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "peer_notif": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "phase2_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "phone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pid": { "type": "long" }, "policytype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "poolname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "port": { "type": "long" @@ -1032,55 +2212,115 @@ }, "probeproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "process": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "processtime": { "type": "long" }, "profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "profile_vd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "profilegroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "profiletype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "qtypeval": { "type": "long" }, "quarskip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "quotaexceeded": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "quotamax": { "type": "long" }, "quotatype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "quotaused": { "type": "long" }, "radioband": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "radioid": { "type": "long" @@ -1093,80 +2333,182 @@ }, "rate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rawdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rawdataid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rcvddelta": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "received": { "type": "long" }, "receivedsignature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "red": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referralurl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "remote": { "type": "ip" }, "remotewtptime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reporttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reqtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rssi": { "type": "long" }, "rsso_key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ruledata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ruletype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scanned": { "type": "long" @@ -1176,43 +2518,103 @@ }, "scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "security": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sensitivity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sensor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sentdelta": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "seq": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "serialno": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sessionid": { "type": "long" @@ -1222,7 +2624,13 @@ }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "shaperdroprcvdbyte": { "type": "long" @@ -1235,15 +2643,33 @@ }, "shaperperipname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "shaperrcvdname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "shapersentname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "shapingpolicyid": { "type": "long" @@ -1259,164 +2685,392 @@ }, "sn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "snclosest": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sndetected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "snmeshparent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "spi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_int": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srccountry": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcfamily": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srchwvendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srchwversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcinetsvc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcintfrole": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcserver": { "type": "long" }, "srcssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcswversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srcuuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sscname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sslaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssllocal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sslremote": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "stacount": { "type": "long" }, "stage": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "stamac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "stitch": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "submodule": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subservice": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "suspicious": { "type": "long" }, "switchproto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sync_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sync_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sysuptime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tamac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threattype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "time": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "to_vcluster": { "type": "long" @@ -1429,22 +3083,46 @@ }, "trace_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trandisp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transid": { "type": "long" }, "translationid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trigger": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trueclntip": { "type": "ip" @@ -1457,19 +3135,43 @@ }, "tunneltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ui": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "unauthusersource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "unit": { "type": "long" @@ -1479,15 +3181,33 @@ }, "urlfilterlist": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "urlsource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "urltype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "used": { "type": "long" @@ -1497,19 +3217,43 @@ }, "utmaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "utmref": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vapmode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vcluster": { "type": "long" @@ -1519,75 +3263,165 @@ }, "vcluster_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vdname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vendorurl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virusid": { "type": "long" }, "voip_proto": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpntunnel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpntype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vrf": { "type": "long" }, "vulncat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vulnid": { "type": "long" }, "vulnname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vwlid": { "type": "long" }, "vwlquality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vwlservice": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vwpvlanid": { "type": "long" @@ -1597,22 +3431,46 @@ }, "wanoptapptype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "wanout": { "type": "long" }, "weakwepiv": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "xauthgroup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "xauthuser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "xid": { "type": "long" diff --git a/salt/elasticsearch/templates/component/ecs/gcp.json b/salt/elasticsearch/templates/component/ecs/gcp.json index 5ac9dcbe4..444ab6f91 100644 --- a/salt/elasticsearch/templates/component/ecs/gcp.json +++ b/salt/elasticsearch/templates/component/ecs/gcp.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "gcp": { @@ -14,17 +54,35 @@ "properties": { "authority_selector": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "principal_email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "method_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "num_response_items": { "type": "long" @@ -33,19 +91,43 @@ "properties": { "filter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "proto_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resource_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -56,7 +138,13 @@ }, "caller_supplied_user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -64,13 +152,25 @@ "properties": { "current_locations": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "resource_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "response": { "properties": { @@ -78,35 +178,77 @@ "properties": { "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "proto_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "service_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "properties": { @@ -115,13 +257,25 @@ }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -131,15 +285,33 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -147,15 +319,33 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subnetwork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpc_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -167,42 +357,96 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_range": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "priority": { "type": "long" }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_range": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_service_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target_service_account": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -214,15 +458,33 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -230,15 +492,33 @@ "properties": { "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subnetwork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vpc_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -248,7 +528,13 @@ "properties": { "reporter": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rtt": { "properties": { diff --git a/salt/elasticsearch/templates/component/ecs/google_workspace.json b/salt/elasticsearch/templates/component/ecs/google_workspace.json index 526bd9bb5..abb0e3591 100644 --- a/salt/elasticsearch/templates/component/ecs/google_workspace.json +++ b/salt/elasticsearch/templates/component/ecs/google_workspace.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "google_workspace": { @@ -12,11 +52,23 @@ "properties": { "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -26,7 +78,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -36,13 +94,25 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "scopes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -50,35 +120,83 @@ "properties": { "asp_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "edition": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "enabled": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "licences_order_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "licences_purchased": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "package_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -96,11 +214,23 @@ "properties": { "allowed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "enabled": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -108,7 +238,13 @@ "properties": { "session_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -116,19 +252,43 @@ "properties": { "command_details": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -138,11 +298,23 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -152,15 +324,33 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "secondary_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -173,7 +363,13 @@ }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "recipient": { "properties": { @@ -182,7 +378,13 @@ }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -193,7 +395,13 @@ }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -204,7 +412,13 @@ }, "quarantine_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -215,11 +429,23 @@ }, "package_content": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -227,25 +453,55 @@ "properties": { "dest_email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "level": { "properties": { "chat": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "draft": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incoming": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "outgoing": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -253,13 +509,25 @@ }, "field": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gateway": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -267,35 +535,77 @@ "properties": { "allowed_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "priorities": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "info_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "managed_configuration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mdm": { "properties": { "token": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -305,11 +615,23 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -317,7 +639,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -328,11 +656,23 @@ }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "non_featured_services_selection": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oauth2": { "properties": { @@ -340,15 +680,33 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -356,7 +714,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -364,17 +728,35 @@ }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "org_unit": { "properties": { "full": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -382,7 +764,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -390,7 +778,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -398,7 +792,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -406,11 +806,23 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sku": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -418,7 +830,13 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -426,7 +844,13 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -434,11 +858,23 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -446,7 +882,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -454,7 +896,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -462,11 +910,23 @@ "properties": { "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -474,7 +934,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -485,11 +951,23 @@ }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nickname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -497,13 +975,25 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "verification_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -511,30 +1001,60 @@ "properties": { "added_role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "billable": { "type": "boolean" }, "destination_folder_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_folder_title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "owner": { "properties": { "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_shared_drive": { "type": "boolean" @@ -543,72 +1063,168 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "membership_change_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "old_visibility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "originating_app_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "primary_event": { "type": "boolean" }, "removed_role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "shared_drive_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "shared_drive_settings_change_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sheets_import_range_recipient_doc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_folder_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_folder_title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "visibility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "visibility_change": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -616,7 +1232,13 @@ "properties": { "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -624,21 +1246,45 @@ "properties": { "acl_permission": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "member": { "properties": { "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -646,53 +1292,119 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "moderation_action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "new_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "old_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "setting": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "kind": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "login": { "properties": { "affected_email_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "challenge_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "failure_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_second_factor": { "type": "boolean" @@ -702,7 +1414,13 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -710,7 +1428,13 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -718,27 +1442,63 @@ "properties": { "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "failure_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "initiated_by": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "orgunit_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "second_level_status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/group.json b/salt/elasticsearch/templates/component/ecs/group.json index ed40b4d9f..a28670064 100644 --- a/salt/elasticsearch/templates/component/ecs/group.json +++ b/salt/elasticsearch/templates/component/ecs/group.json @@ -4,25 +4,83 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "group": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/host.json b/salt/elasticsearch/templates/component/ecs/host.json index cf69aad56..d2f8dc301 100644 --- a/salt/elasticsearch/templates/component/ecs/host.json +++ b/salt/elasticsearch/templates/component/ecs/host.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "host": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpu": { "properties": { @@ -40,73 +86,163 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ip": { "type": "ip" }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "network": { "properties": { @@ -136,12 +272,19 @@ "properties": { "family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -149,12 +292,19 @@ }, "kernel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -162,21 +312,45 @@ }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uptime": { "type": "long" @@ -185,16 +359,29 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -204,30 +391,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -235,7 +453,13 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -244,4 +468,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/http.json b/salt/elasticsearch/templates/component/ecs/http.json index d6164a191..a5c0c4e70 100644 --- a/salt/elasticsearch/templates/component/ecs/http.json +++ b/salt/elasticsearch/templates/component/ecs/http.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "http": { @@ -17,6 +57,10 @@ }, "content": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -30,19 +74,43 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referrer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -55,6 +123,10 @@ }, "content": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -68,7 +140,13 @@ }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status_code": { "type": "long" @@ -77,11 +155,17 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/juniper.json b/salt/elasticsearch/templates/component/ecs/juniper.json index 33a5f61d6..50a2dd287 100644 --- a/salt/elasticsearch/templates/component/ecs/juniper.json +++ b/salt/elasticsearch/templates/component/ecs/juniper.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "juniper": { @@ -12,47 +52,113 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "action_detail": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "apbr_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_characteristics": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_sub_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attack_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_ip": { "type": "ip" @@ -62,85 +168,181 @@ }, "connection_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_hit_rate": { "type": "long" }, "context_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_value_hit_rate": { "type": "long" }, "ddos_application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dscp_value": { "type": "long" }, "dst_nat_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_nat_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_vrf_grp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "elapsed_time": { "type": "date" }, "encrypted": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "epoch_time": { "type": "date" }, "error_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "error_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "export_id": { "type": "long" }, "feed_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_hash_lookup": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_type": { "type": "long" @@ -153,39 +355,93 @@ }, "index": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "logical_system_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "malware_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat_connection_tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nested_application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "obj": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "occur_count": { "type": "long" @@ -207,7 +463,13 @@ }, "peer_session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "peer_source_address": { "type": "ip" @@ -217,118 +479,286 @@ }, "policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "process": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "profile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "profile_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "repeat_count": { "type": "long" }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "routing_instance": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ruleebase_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sample_sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "secure_web_proxy_session_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_id_32": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_nat_rule_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_nat_rule_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_vrf_grp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "temporary_filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tenant_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "th": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threat_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "time_count": { "type": "long" @@ -338,14 +768,26 @@ }, "time_scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uplink_rx_bytes": { "type": "long" @@ -355,18 +797,36 @@ }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "verdict_number": { "type": "long" }, "verdict_source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/kibana.json b/salt/elasticsearch/templates/component/ecs/kibana.json index d1ea67de7..6e13a835a 100644 --- a/salt/elasticsearch/templates/component/ecs/kibana.json +++ b/salt/elasticsearch/templates/component/ecs/kibana.json @@ -4,29 +4,99 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "kibana": { "properties": { "add_to_spaces": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authentication_provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authentication_realm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authentication_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "delete_from_spaces": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log": { "properties": { @@ -35,37 +105,79 @@ }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "lookup_realm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "saved_object": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "space_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/log.json b/salt/elasticsearch/templates/component/ecs/log.json index e79661b5e..c98030aad 100644 --- a/salt/elasticsearch/templates/component/ecs/log.json +++ b/salt/elasticsearch/templates/component/ecs/log.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "log": { @@ -12,17 +52,35 @@ "properties": { "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "logger": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "origin": { "properties": { @@ -33,20 +91,38 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "function": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "original": { "doc_values": false, "index": false, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "syslog": { "properties": { @@ -57,7 +133,13 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -71,7 +153,13 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -83,4 +171,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/logstash.json b/salt/elasticsearch/templates/component/ecs/logstash.json index ecfb17551..9b463f3ae 100644 --- a/salt/elasticsearch/templates/component/ecs/logstash.json +++ b/salt/elasticsearch/templates/component/ecs/logstash.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "logstash": { @@ -14,24 +54,42 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "object" }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pipeline_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "thread": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -43,9 +101,9 @@ "properties": { "event": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -53,17 +111,29 @@ }, "module": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "plugin_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "plugin_params": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -74,13 +144,19 @@ }, "plugin_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "thread": { "fields": { - "text": { - "norms": false, - "type": "text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, diff --git a/salt/elasticsearch/templates/component/ecs/microsoft.json b/salt/elasticsearch/templates/component/ecs/microsoft.json index 512b99c79..bb9f04a5c 100644 --- a/salt/elasticsearch/templates/component/ecs/microsoft.json +++ b/salt/elasticsearch/templates/component/ecs/microsoft.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "microsoft": { @@ -12,72 +52,156 @@ "properties": { "assignedTo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "determination": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "evidence": { "properties": { "aadUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "accountName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domainName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entityType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ipAddress": { "type": "ip" }, "userPrincipalName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "incidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "investigationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "investigationState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "lastUpdateTime": { "type": "date" }, "rbacGroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resolvedTime": { "type": "date" }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threatFamilyName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -87,26 +211,56 @@ "properties": { "actorName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "assignedTo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creationTime": { "type": "date" }, "detectionSource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "determination": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "devices": { "type": "flattened" @@ -115,145 +269,343 @@ "properties": { "accountName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "clusterBy": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deliveryAction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deviceId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entityType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ipAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mailboxAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mailboxDisplayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "recipient": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registryHive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registryKey": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registryValueType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "securityGroupId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "securityGroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sender": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "incidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "investigationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "investigationState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "lastUpdatedTime": { "type": "date" }, "mitreTechniques": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resolvedTime": { "type": "date" }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threatFamilyName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "userSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "assignedTo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "determination": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "incidentName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "investigationState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "redirectIncidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/misp.json b/salt/elasticsearch/templates/component/ecs/misp.json index 8150371ec..c3600de69 100644 --- a/salt/elasticsearch/templates/component/ecs/misp.json +++ b/salt/elasticsearch/templates/component/ecs/misp.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "misp": { @@ -12,19 +52,43 @@ "properties": { "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "kill_chain_phases": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -32,29 +96,59 @@ "properties": { "aliases": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "first_seen": { "type": "date" }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_seen": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "objective": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -62,15 +156,33 @@ "properties": { "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -78,31 +190,73 @@ "properties": { "contact_information": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identity_class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sectors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -110,41 +264,89 @@ "properties": { "aliases": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "first_seen": { "type": "date" }, "goals": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_seen": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "primary_motivation": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resource_level": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "secondary_motivations": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -152,23 +354,53 @@ "properties": { "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "kill_chain_phases": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -176,23 +408,53 @@ "properties": { "authors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "object_refs": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "summary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -203,7 +465,13 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "last_observed": { "type": "date" @@ -213,7 +481,13 @@ }, "objects": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -221,23 +495,53 @@ "properties": { "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "object_refs": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "published": { "type": "date" @@ -248,51 +552,123 @@ "properties": { "aliases": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "goals": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "personal_motivations": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "primary_motivation": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resource_level": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "roles": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "secondary_motivations": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sophistication": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -300,66 +676,156 @@ "properties": { "attack_pattern": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attack_pattern_kql": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "campaign": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "confidence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "feed": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "intrusion_set": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "kill_chain_phases": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_tactic": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mitre_technique": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "negate": { "type": "boolean" }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threat_actor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "valid_from": { "type": "date" @@ -369,7 +835,13 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -377,27 +849,63 @@ "properties": { "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "kill_chain_phases": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "labels": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tool_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -405,15 +913,33 @@ "properties": { "description": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/netflow.json b/salt/elasticsearch/templates/component/ecs/netflow.json index 10f34c3d4..4b52708f3 100644 --- a/salt/elasticsearch/templates/component/ecs/netflow.json +++ b/salt/elasticsearch/templates/component/ecs/netflow.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "netflow": { @@ -34,26 +74,56 @@ }, "application_category_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_group_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_id": { "type": "short" }, "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_sub_category_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bgp_destination_as_number": { "type": "long" @@ -84,7 +154,13 @@ }, "class_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification_engine_id": { "type": "short" @@ -151,7 +227,13 @@ }, "destination_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "destination_transport_port": { "type": "long" @@ -182,14 +264,26 @@ }, "dot1q_customer_destination_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dot1q_customer_priority": { "type": "short" }, "dot1q_customer_source_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dot1q_customer_vlan_id": { "type": "long" @@ -253,7 +347,13 @@ }, "encrypted_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "engine_id": { "type": "short" @@ -298,7 +398,13 @@ "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_id": { "type": "long" @@ -466,34 +572,76 @@ }, "http_content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_message_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_reason_phrase": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_request_host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_request_method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_request_target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http_status_code": { "type": "long" }, "http_user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_code_ipv4": { "type": "short" @@ -536,7 +684,13 @@ }, "information_element_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "information_element_id": { "type": "long" @@ -546,7 +700,13 @@ }, "information_element_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "information_element_range_begin": { "type": "long" @@ -589,11 +749,23 @@ }, "interface_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "interface_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "intermediate_process_id": { "type": "long" @@ -741,7 +913,13 @@ }, "metro_evc_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "metro_evc_type": { "type": "short" @@ -754,29 +932,59 @@ }, "mib_context_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mib_index_indicator": { "type": "long" }, "mib_module_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mib_object_description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mib_object_identifier": { "type": "short" }, "mib_object_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mib_object_syntax": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mib_object_value_bits": { "type": "short" @@ -834,11 +1042,23 @@ }, "mobile_imsi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mobile_msisdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "monitoring_interval_end_milli_seconds": { "type": "date" @@ -929,7 +1149,13 @@ }, "nat_pool_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat_quota_exceeded_event": { "type": "long" @@ -963,7 +1189,13 @@ }, "observation_domain_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "observation_point_id": { "type": "long" @@ -1021,7 +1253,13 @@ }, "p2p_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "packet_delta_count": { "type": "long" @@ -1052,7 +1290,13 @@ }, "post_destination_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "post_dot1q_customer_vlan_id": { "type": "long" @@ -1128,7 +1372,13 @@ }, "post_source_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "post_vlan_id": { "type": "long" @@ -1180,7 +1430,13 @@ }, "sampler_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sampler_random_interval": { "type": "long" @@ -1247,7 +1503,13 @@ }, "selector_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_scope": { "type": "short" @@ -1272,7 +1534,13 @@ }, "source_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source_transport_port": { "type": "long" @@ -1288,7 +1556,13 @@ }, "sta_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "system_init_time_milliseconds": { "type": "date" @@ -1355,11 +1629,23 @@ }, "tunnel_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "udp_destination_port": { "type": "long" @@ -1375,7 +1661,13 @@ }, "user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value_distribution_method": { "type": "short" @@ -1385,11 +1677,23 @@ }, "virtual_station_interface_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_station_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_station_uuid": { "type": "short" @@ -1402,18 +1706,36 @@ }, "vr_fname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "wlan_channel_id": { "type": "short" }, "wlan_ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "wtp_mac_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/network.json b/salt/elasticsearch/templates/component/ecs/network.json index c2e35efd0..5a669bd30 100644 --- a/salt/elasticsearch/templates/component/ecs/network.json +++ b/salt/elasticsearch/templates/component/ecs/network.json @@ -4,31 +4,95 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "network": { "properties": { "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "bytes": { "type": "long" }, "community_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "forwarded_ip": { "type": "ip" }, "iana_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "inner": { "properties": { @@ -36,11 +100,23 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -49,32 +125,68 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "packets": { "type": "long" }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transport": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vlan": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -83,4 +195,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/o365.json b/salt/elasticsearch/templates/component/ecs/o365.json index d1bdb29b1..3739bcde8 100644 --- a/salt/elasticsearch/templates/component/ecs/o365.json +++ b/salt/elasticsearch/templates/component/ecs/o365.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "o365": { @@ -12,118 +52,286 @@ "properties": { "AADGroupId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ActorContextId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ActorIpAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ActorUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ActorYammerUserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "AlertEntityId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "AlertId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "AlertType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "AppId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ApplicationDisplayName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ApplicationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "AzureActiveDirectoryEventType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ClientAppId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ClientIP": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ClientIPAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ClientInfoString": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Comments": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "CommunicationType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "CorrelationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "CreationTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "CustomUniqueId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DataType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DoNotDistributeEvent": { "type": "boolean" }, "EntityType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ErrorNumber": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "EventData": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "EventSource": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ExceptionInfo": { "properties": { @@ -148,38 +356,86 @@ }, "ExternalAccess": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "FromApp": { "type": "boolean" }, "GroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ImplicitShare": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IncidentId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "InterSystemsId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "InternalLogonType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IntraSystemId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IsDocLib": { "type": "boolean" @@ -201,67 +457,163 @@ }, "ItemName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ItemType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListBaseTemplateType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListBaseType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListColor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListIcon": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListItemUniqueId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ListTitle": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonError": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonUserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MailboxGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MailboxOwnerMasterAccountSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MailboxOwnerSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MailboxOwnerUPN": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Members": { "properties": { @@ -283,27 +635,63 @@ }, "Name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ObjectId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "OrganizationId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "OrganizationName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "OriginatingServer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Parameters": { "properties": { @@ -314,27 +702,63 @@ }, "PolicyId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "RecordType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ResultStatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SensitiveInfoDetectionIsIncluded": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SessionId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SharePointMetaData": { "properties": { @@ -345,95 +769,233 @@ }, "Site": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SiteUrl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SourceFileExtension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SourceFileName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SourceRelativeUrl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SupportTicketId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetContextId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetUserOrGroupName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetUserOrGroupType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TeamGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TeamName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TemplateTypeId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "UniqueSharingId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "UserAgent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "UserId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "UserKey": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "UserType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "WebId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Workload": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "YammerNetworkId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/observer.json b/salt/elasticsearch/templates/component/ecs/observer.json index ecd3b1155..4eeb753db 100644 --- a/salt/elasticsearch/templates/component/ecs/observer.json +++ b/salt/elasticsearch/templates/component/ecs/observer.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "observer": { @@ -14,15 +54,33 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -30,17 +88,35 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "object" @@ -49,52 +125,118 @@ "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ingress": { "properties": { @@ -102,15 +244,33 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -118,17 +278,35 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "object" @@ -138,22 +316,41 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os": { "properties": { "family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -161,12 +358,19 @@ }, "kernel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -174,41 +378,89 @@ }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/okta.json b/salt/elasticsearch/templates/component/ecs/okta.json index dcfaab1c2..3604f3bce 100644 --- a/salt/elasticsearch/templates/component/ecs/okta.json +++ b/salt/elasticsearch/templates/component/ecs/okta.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "okta": { @@ -12,19 +52,43 @@ "properties": { "alternate_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "display_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -32,26 +96,56 @@ "properties": { "authentication_provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "authentication_step": { "type": "long" }, "credential_provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "credential_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "external_session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -59,11 +153,23 @@ "properties": { "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ip": { "type": "ip" @@ -72,21 +178,45 @@ "properties": { "browser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "raw_user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "zone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -96,33 +226,75 @@ "properties": { "device_fingerprint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request_uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "suspicious_activity": { "properties": { "browser": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_city": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_ip": { "type": "ip" @@ -135,19 +307,43 @@ }, "event_state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_transaction_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -156,11 +352,23 @@ }, "threat_suspected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -168,21 +376,45 @@ }, "display_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "outcome": { "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -194,22 +426,46 @@ "properties": { "city": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "geolocation": { "type": "geo_point" }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -218,11 +474,23 @@ }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -239,7 +507,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -247,20 +521,38 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_proxy": { "type": "boolean" }, "isp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target": { "type": "flattened" @@ -269,21 +561,45 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/orchestrator.json b/salt/elasticsearch/templates/component/ecs/orchestrator.json index 87f2af201..99d20dc00 100644 --- a/salt/elasticsearch/templates/component/ecs/orchestrator.json +++ b/salt/elasticsearch/templates/component/ecs/orchestrator.json @@ -4,57 +4,151 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "orchestrator": { "properties": { "api_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cluster": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "namespace": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resource": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/organization.json b/salt/elasticsearch/templates/component/ecs/organization.json index b0ea050fa..0f782caf9 100644 --- a/salt/elasticsearch/templates/component/ecs/organization.json +++ b/salt/elasticsearch/templates/component/ecs/organization.json @@ -4,18 +4,65 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "organization": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -26,4 +73,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/package.json b/salt/elasticsearch/templates/component/ecs/package.json index b726f8f7f..45aec5986 100644 --- a/salt/elasticsearch/templates/component/ecs/package.json +++ b/salt/elasticsearch/templates/component/ecs/package.json @@ -4,63 +4,169 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "package": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "build_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "checksum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "install_scope": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "installed": { "type": "date" }, "license": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/process.json b/salt/elasticsearch/templates/component/ecs/process.json index a95fe6bba..a6b3cc61e 100644 --- a/salt/elasticsearch/templates/component/ecs/process.json +++ b/salt/elasticsearch/templates/component/ecs/process.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "process": { "properties": { "args": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "args_count": { "type": "long" @@ -19,26 +65,56 @@ "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -53,6 +129,10 @@ }, "command_line": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -63,15 +143,33 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creation_date": { "type": "date" @@ -83,34 +181,76 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -127,22 +267,46 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_address": { "type": "long" @@ -157,22 +321,46 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -181,12 +369,19 @@ }, "entity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "executable": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -199,30 +394,61 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -232,7 +458,13 @@ "properties": { "args": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "args_count": { "type": "long" @@ -241,26 +473,56 @@ "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -275,6 +537,10 @@ }, "command_line": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -285,15 +551,33 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creation_date": { "type": "date" @@ -305,34 +589,76 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -349,22 +675,46 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_address": { "type": "long" @@ -379,22 +729,46 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -403,12 +777,19 @@ }, "entity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "executable": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -421,30 +802,61 @@ "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -454,31 +866,73 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -501,14 +955,21 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "title": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -519,8 +980,9 @@ }, "working_directory": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -532,31 +994,73 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -579,14 +1083,21 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "title": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -597,8 +1108,9 @@ }, "working_directory": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -609,4 +1121,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/redis.json b/salt/elasticsearch/templates/component/ecs/redis.json index 925f55c62..ac8f9faf2 100644 --- a/salt/elasticsearch/templates/component/ecs/redis.json +++ b/salt/elasticsearch/templates/component/ecs/redis.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "redis": { @@ -12,7 +52,13 @@ "properties": { "role": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -20,11 +66,23 @@ "properties": { "args": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cmd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duration": { "properties": { @@ -38,7 +96,13 @@ }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/registry.json b/salt/elasticsearch/templates/component/ecs/registry.json index 7cfa34ad6..13cdca60e 100644 --- a/salt/elasticsearch/templates/component/ecs/registry.json +++ b/salt/elasticsearch/templates/component/ecs/registry.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "registry": { @@ -12,36 +52,72 @@ "properties": { "bytes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "strings": { "type": "wildcard" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/related.json b/salt/elasticsearch/templates/component/ecs/related.json index 1af1593c8..58a55392c 100644 --- a/salt/elasticsearch/templates/component/ecs/related.json +++ b/salt/elasticsearch/templates/component/ecs/related.json @@ -4,28 +4,86 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "related": { "properties": { "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hosts": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ip": { "type": "ip" }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/rule.json b/salt/elasticsearch/templates/component/ecs/rule.json index 400c64f6d..b9ea3a615 100644 --- a/salt/elasticsearch/templates/component/ecs/rule.json +++ b/salt/elasticsearch/templates/component/ecs/rule.json @@ -4,53 +4,153 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "rule": { "properties": { "author": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "license": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ruleset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/server.json b/salt/elasticsearch/templates/component/ecs/server.json index a7587e954..3c297f09f 100644 --- a/salt/elasticsearch/templates/component/ecs/server.json +++ b/salt/elasticsearch/templates/component/ecs/server.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "server": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "as": { "properties": { @@ -21,8 +67,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -37,52 +84,118 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -91,7 +204,13 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat": { "properties": { @@ -111,30 +230,61 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -144,30 +294,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -175,7 +356,13 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -184,4 +371,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/service.json b/salt/elasticsearch/templates/component/ecs/service.json index 2fbdad6d4..bfa90c717 100644 --- a/salt/elasticsearch/templates/component/ecs/service.json +++ b/salt/elasticsearch/templates/component/ecs/service.json @@ -4,53 +4,147 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "service": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "environment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ephemeral_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "node": { "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/snyk.json b/salt/elasticsearch/templates/component/ecs/snyk.json index c0c583e5f..d210b41a0 100644 --- a/salt/elasticsearch/templates/component/ecs/snyk.json +++ b/salt/elasticsearch/templates/component/ecs/snyk.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "snyk": { @@ -15,11 +55,23 @@ }, "org_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "project_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -30,7 +82,13 @@ "properties": { "projects": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -38,32 +96,68 @@ "properties": { "credit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cvss3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "disclosure_time": { "type": "date" }, "exploit_maturity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identifiers": { "properties": { "alternative": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cwe": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -90,22 +184,46 @@ }, "jira_issue_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "language": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_severity": { "type": "long" }, "package": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "package_manager": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "patches": { "type": "flattened" @@ -118,26 +236,56 @@ }, "reachability": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "semver": { "type": "flattened" }, "title": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "unique_severities_list": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/sophos.json b/salt/elasticsearch/templates/component/ecs/sophos.json index a5606f962..9abba7456 100644 --- a/salt/elasticsearch/templates/component/ecs/sophos.json +++ b/salt/elasticsearch/templates/component/ecs/sophos.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "sophos": { @@ -15,11 +55,23 @@ }, "Mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PHPSESSID": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Reports": { "type": "float" @@ -29,100 +81,232 @@ }, "SysLog_SERVER_NAME": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Temp": { "type": "float" }, "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "activityname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_is_cloud": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "appfilter_policy_id": { "type": "long" }, "application": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_filter_policy": { "type": "long" }, "application_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_risk": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "application_technology": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "appresolvedby": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "auth_client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "auth_mechanism": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "av_policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "backup_mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "branch_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_host_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_physical_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "clients_conn_ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "collisions": { "type": "long" @@ -135,39 +319,93 @@ }, "connectionname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connectiontype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connevent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "contenttype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_match": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_prefix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "context_suffix": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cookie": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "date": { "type": "date" @@ -177,47 +415,113 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "device_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "device_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dictionary_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dir_disp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domainname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "download_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "download_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_country_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_domainname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dst_ip": { "type": "ip" @@ -227,68 +531,152 @@ }, "dstdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstzone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dstzonetype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duration": { "type": "long" }, "email_subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ep_uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "eventid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "eventtime": { "type": "date" }, "eventtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exceptions": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "execution_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extra": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_size": { "type": "long" }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filepath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "filesize": { "type": "long" @@ -298,45 +686,99 @@ }, "from_email_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ftp_direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ftp_url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ftpcommand": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fw_rule_id": { "type": "long" }, "hb_health": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "httpresponsecode": { "type": "long" }, "iap": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "idle_cpu": { "type": "float" @@ -346,125 +788,299 @@ }, "idp_policy_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "in_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ipaddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ips_policy_id": { "type": "long" }, "localgateway": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "localnetwork": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log_component": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log_subtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "login_user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mailid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mailsize": { "type": "long" }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "newversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "oldversion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "out_interface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "override_authorizer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "override_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "override_token": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "policy_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "quarantine": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "quarantine_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "querystring": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "raw_data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "received_pkts": { "type": "long" @@ -474,7 +1090,13 @@ }, "receivederrors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "receivedkbits": { "type": "long" @@ -484,25 +1106,49 @@ }, "red_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "referer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "remote_ip": { "type": "ip" }, "remotenetwork": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "responsetime": { "type": "long" }, "rule_priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sent_bytes": { "type": "long" @@ -512,72 +1158,162 @@ }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sessionid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1sum": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "site_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sourceip": { "type": "ip" }, "spamaction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sqli": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_country_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_domainname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_ip": { "type": "ip" }, "src_mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "src_port": { "type": "long" }, "srczone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "srczonetype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "start_time": { "type": "date" @@ -587,37 +1323,79 @@ }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "system_cpu": { "type": "float" }, "target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "threatname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "to_email_address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "total_memory": { "type": "long" @@ -636,81 +1414,171 @@ }, "transaction_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transactionid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transmitteddrops": { "type": "long" }, "transmittederrors": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transmittedkbits": { "type": "long" }, "unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "updatedip": { "type": "ip" }, "upload_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "upload_file_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "used": { "type": "long" }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_cpu": { "type": "float" }, "user_gp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "users": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vconn_id": { "type": "long" }, "virus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "website": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "xss": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/source.json b/salt/elasticsearch/templates/component/ecs/source.json index 9408e0133..e409d4a48 100644 --- a/salt/elasticsearch/templates/component/ecs/source.json +++ b/salt/elasticsearch/templates/component/ecs/source.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "source": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "as": { "properties": { @@ -21,8 +67,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -37,52 +84,118 @@ }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "geo": { "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -91,7 +204,13 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nat": { "properties": { @@ -111,30 +230,61 @@ }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -144,30 +294,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -175,7 +356,13 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -184,4 +371,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/suricata.json b/salt/elasticsearch/templates/component/ecs/suricata.json index d824294e9..116dc96dd 100644 --- a/salt/elasticsearch/templates/component/ecs/suricata.json +++ b/salt/elasticsearch/templates/component/ecs/suricata.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "suricata": { @@ -14,118 +54,268 @@ "properties": { "affected_product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "attack_target": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "capec_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "created_at": { "type": "date" }, "cve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cvss_v2_base": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cvss_v2_temporal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cvss_v3_base": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cvss_v3_temporal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cwe_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "deployment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "former_category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gid": { "type": "long" }, "hostile": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "infected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "malware": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "metadata": { "type": "flattened" }, "mitre_tool_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "performance_impact": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "priority": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocols": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rev": { "type": "long" }, "rule_source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_id": { "type": "long" }, "signature_severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tag": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "updated_at": { "type": "date" @@ -134,19 +324,43 @@ }, "app_proto_expected": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_proto_orig": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_proto_tc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "app_proto_ts": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dns": { "properties": { @@ -155,19 +369,43 @@ }, "rcode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rdata": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rrname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rrtype": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ttl": { "type": "long" @@ -177,7 +415,13 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -185,13 +429,25 @@ "properties": { "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "event_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fileinfo": { "properties": { @@ -200,19 +456,43 @@ }, "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "stored": { "type": "boolean" @@ -232,31 +512,67 @@ }, "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "flow_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "http": { "properties": { "http_content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "redirect": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -268,7 +584,13 @@ }, "in_iface": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pcap_cnt": { "type": "long" @@ -277,15 +599,33 @@ "properties": { "helo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mail_from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rcpt_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -295,11 +635,23 @@ "properties": { "proto_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "software_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -307,11 +659,23 @@ "properties": { "proto_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "software_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -757,22 +1121,46 @@ }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "syn": { "type": "boolean" }, "tcp_flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_flags_tc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tcp_flags_ts": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -780,21 +1168,45 @@ "properties": { "fingerprint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuerdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ja3": { "properties": { "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "string": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -802,11 +1214,23 @@ "properties": { "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "string": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -818,22 +1242,46 @@ }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "session_resumed": { "type": "boolean" }, "sni": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, diff --git a/salt/elasticsearch/templates/component/ecs/syslog.json b/salt/elasticsearch/templates/component/ecs/syslog.json index c886589e9..d263519e8 100644 --- a/salt/elasticsearch/templates/component/ecs/syslog.json +++ b/salt/elasticsearch/templates/component/ecs/syslog.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "syslog": { @@ -13,14 +53,26 @@ }, "facility_label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "priority": { "type": "long" }, "severity_label": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } diff --git a/salt/elasticsearch/templates/component/ecs/threat.json b/salt/elasticsearch/templates/component/ecs/threat.json index 4bed345e1..62e71e49a 100644 --- a/salt/elasticsearch/templates/component/ecs/threat.json +++ b/salt/elasticsearch/templates/component/ecs/threat.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "threat": { @@ -21,8 +61,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -34,17 +75,35 @@ }, "confidence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -55,32 +114,68 @@ }, "attributes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -101,29 +196,65 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "directory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "drive_letter": { "ignore_above": 1, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "elf": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creation_date": { "type": "date" @@ -135,34 +266,76 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -179,22 +352,46 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_address": { "type": "long" @@ -209,92 +406,201 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "inode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mtime": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -304,31 +610,73 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -337,8 +685,9 @@ }, "target_path": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -346,47 +695,107 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -398,11 +807,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -414,47 +835,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -467,46 +948,106 @@ "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -520,7 +1061,13 @@ "properties": { "tlp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -532,11 +1079,23 @@ }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registry": { "properties": { @@ -544,32 +1103,68 @@ "properties": { "bytes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "strings": { "type": "wildcard" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -581,24 +1176,52 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fragment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -607,6 +1230,10 @@ }, "original": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -615,7 +1242,13 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "type": "wildcard" @@ -625,27 +1258,63 @@ }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -653,37 +1322,85 @@ "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -695,11 +1412,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -711,47 +1440,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -762,23 +1551,53 @@ "properties": { "atomic": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "field": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "index": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -787,25 +1606,55 @@ }, "framework": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "group": { "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -820,8 +1669,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -833,17 +1683,35 @@ }, "confidence": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "properties": { "address": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -854,32 +1722,68 @@ }, "attributes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "code_signature": { "properties": { "digest_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exists": { "type": "boolean" }, "signing_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "team_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timestamp": { "type": "date" @@ -900,29 +1804,65 @@ }, "device": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "directory": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "drive_letter": { "ignore_above": 1, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "elf": { "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "byte_order": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cpu_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "creation_date": { "type": "date" @@ -934,34 +1874,76 @@ "properties": { "abi_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "class": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "entrypoint": { "type": "long" }, "object_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os_abi": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -978,22 +1960,46 @@ }, "flags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_offset": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "physical_size": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "virtual_address": { "type": "long" @@ -1008,92 +2014,201 @@ "properties": { "sections": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } }, "type": "nested" }, "shared_libraries": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "telfhash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fork_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "gid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha512": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssdeep": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "inode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mtime": { "type": "date" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "owner": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -1103,31 +2218,73 @@ "properties": { "architecture": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "imphash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original_file_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1136,8 +2293,9 @@ }, "target_path": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -1145,47 +2303,107 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1197,11 +2415,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -1213,47 +2443,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1266,46 +2556,106 @@ "properties": { "city_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "continent_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "location": { "type": "geo_point" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "postal_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_iso_code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "region_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timezone": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1319,7 +2669,13 @@ "properties": { "tlp": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1331,11 +2687,23 @@ }, "provider": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registry": { "properties": { @@ -1343,32 +2711,68 @@ "properties": { "bytes": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "strings": { "type": "wildcard" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hive": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1380,24 +2784,52 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "url": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fragment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -1406,6 +2838,10 @@ }, "original": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -1414,7 +2850,13 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "type": "wildcard" @@ -1424,27 +2866,63 @@ }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1452,37 +2930,85 @@ "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1494,11 +3020,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -1510,47 +3048,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1560,27 +3158,63 @@ "properties": { "alias": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "platforms": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1588,15 +3222,33 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1604,12 +3256,19 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -1617,18 +3276,31 @@ }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subtechnique": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -1636,7 +3308,13 @@ }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1647,4 +3325,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/tls.json b/salt/elasticsearch/templates/component/ecs/tls.json index 413f217ad..796ffbe7b 100644 --- a/salt/elasticsearch/templates/component/ecs/tls.json +++ b/salt/elasticsearch/templates/component/ecs/tls.json @@ -4,47 +4,135 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "tls": { "properties": { "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client": { "properties": { "certificate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "certificate_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "issuer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ja3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "not_after": { "type": "date" @@ -54,51 +142,117 @@ }, "server_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "supported_ciphers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -110,11 +264,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -126,47 +292,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -174,14 +400,26 @@ }, "curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "established": { "type": "boolean" }, "next_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resumed": { "type": "boolean" @@ -190,35 +428,77 @@ "properties": { "certificate": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "certificate_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "properties": { "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "issuer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ja3s": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "not_after": { "type": "date" @@ -228,43 +508,97 @@ }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "x509": { "properties": { "alternative_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -276,11 +610,23 @@ }, "public_key_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "public_key_exponent": { "doc_values": false, @@ -292,47 +638,107 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "distinguished_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_or_province": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -340,15 +746,27 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/tracing.json b/salt/elasticsearch/templates/component/ecs/tracing.json index 7db45e4a2..8f28ee9f8 100644 --- a/salt/elasticsearch/templates/component/ecs/tracing.json +++ b/salt/elasticsearch/templates/component/ecs/tracing.json @@ -4,13 +4,59 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "span": { "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -18,7 +64,13 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -26,11 +78,17 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/url.json b/salt/elasticsearch/templates/component/ecs/url.json index efdaed1fb..0f52cf583 100644 --- a/salt/elasticsearch/templates/component/ecs/url.json +++ b/salt/elasticsearch/templates/component/ecs/url.json @@ -4,24 +4,86 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "url": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extension": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fragment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -30,6 +92,10 @@ }, "original": { "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + }, "text": { "type": "match_only_text" } @@ -38,7 +104,13 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "type": "wildcard" @@ -48,31 +120,67 @@ }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "registered_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scheme": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subdomain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "top_level_domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/user.json b/salt/elasticsearch/templates/component/ecs/user.json index 1ad4bac67..f0fe644d8 100644 --- a/salt/elasticsearch/templates/component/ecs/user.json +++ b/salt/elasticsearch/templates/component/ecs/user.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "user": { @@ -12,16 +52,29 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -31,30 +84,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -62,28 +146,53 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "effective": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -93,30 +202,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -124,18 +264,31 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -145,30 +298,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -176,22 +360,41 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "target": { "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full_name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -201,30 +404,61 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "hash": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -232,7 +466,13 @@ }, "roles": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -241,4 +481,4 @@ } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/user_agent.json b/salt/elasticsearch/templates/component/ecs/user_agent.json index 9a0517e6d..0655b290e 100644 --- a/salt/elasticsearch/templates/component/ecs/user_agent.json +++ b/salt/elasticsearch/templates/component/ecs/user_agent.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "user_agent": { @@ -12,18 +52,31 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "original": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -33,12 +86,19 @@ "properties": { "family": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "full": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -46,12 +106,19 @@ }, "kernel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -59,25 +126,49 @@ }, "platform": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/vulnerability.json b/salt/elasticsearch/templates/component/ecs/vulnerability.json index d7d8db4d6..b7a239fb5 100644 --- a/salt/elasticsearch/templates/component/ecs/vulnerability.json +++ b/salt/elasticsearch/templates/component/ecs/vulnerability.json @@ -4,22 +4,75 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "vulnerability": { "properties": { "category": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "classification": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "description": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" } }, "ignore_above": 1024, @@ -27,25 +80,55 @@ }, "enumeration": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reference": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "report_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "scanner": { "properties": { "vendor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -62,17 +145,29 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } } } } -} \ No newline at end of file +} diff --git a/salt/elasticsearch/templates/component/ecs/winlog.json b/salt/elasticsearch/templates/component/ecs/winlog.json index a724eefb1..688fe033f 100644 --- a/salt/elasticsearch/templates/component/ecs/winlog.json +++ b/salt/elasticsearch/templates/component/ecs/winlog.json @@ -4,12 +4,58 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "dynamic_templates": [ { "winlog.event_data": { "mapping": { - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "match_mapping_type": "string", "path_match": "winlog.event_data.*" @@ -18,7 +64,13 @@ { "winlog.user_data": { "mapping": { - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "match_mapping_type": "string", "path_match": "winlog.user_data.*" @@ -30,475 +82,1177 @@ "properties": { "activity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "api": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "channel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "computer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "event_data": { "properties": { "AuthenticationPackageName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Binary": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "BitlockerUserInputTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "BootMode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "BootType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "BuildVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Company": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "CorruptionActionState": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "CreationUtcTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Description": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Detail": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DeviceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DeviceNameLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DeviceTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DeviceVersionMajor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DeviceVersionMinor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DriveName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DriverName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DriverNameLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "DwordVal": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "EntryCount": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ExtraInfo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "FailureName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "FailureNameLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "FileVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "FinalStatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Group": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IdleImplementation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IdleStateCount": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ImpersonationLevel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IntegrityLevel": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IpAddress": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "IpPort": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "KeyLength": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LastBootGood": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LastShutdownGood": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LmPackageName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "LogonType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MajorVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MaximumPerformancePercent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MemberName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MemberSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MinimumPerformancePercent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MinimumThrottlePercent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "MinorVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "NewProcessId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "NewProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "NewSchemeGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "NewTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "NominalFrequency": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "OldSchemeGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "OldTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "OriginalFileName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PerformanceImplementation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PreviousCreationUtcTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PreviousTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PrivilegeList": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ProcessId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ProcessName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ProcessPath": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ProcessPid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Product": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PuaCount": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "PuaPolicyId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "QfeVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SchemaVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ScriptBlockText": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ServiceName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ServiceVersion": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ShutdownActionType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ShutdownEventCode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ShutdownReason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Signature": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SignatureStatus": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Signed": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "StartTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "State": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "StopTime": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SubjectDomainName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SubjectLogonId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SubjectUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "SubjectUserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TSId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetDomainName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetInfo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetLogonGuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetLogonId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetServerName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetUserName": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TargetUserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TerminalSessionId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TokenElevationType": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "TransmittedServices": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "UserSid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "Workstation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param2": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param3": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param4": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param6": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param7": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "param8": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "event_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "keywords": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "logon": { "properties": { @@ -506,31 +1260,67 @@ "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub_status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "opcode": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "process": { "properties": { @@ -548,23 +1338,53 @@ }, "provider_guid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "provider_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "record_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "related_activity_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "task": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "time_created": { "type": "date" @@ -573,19 +1393,43 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identifier": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, diff --git a/salt/elasticsearch/templates/component/ecs/zeek.json b/salt/elasticsearch/templates/component/ecs/zeek.json index 720199001..08541b56e 100644 --- a/salt/elasticsearch/templates/component/ecs/zeek.json +++ b/salt/elasticsearch/templates/component/ecs/zeek.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "zeek": { @@ -18,7 +58,13 @@ }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "percent_lost": { "type": "double" @@ -32,7 +78,13 @@ "properties": { "history": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp": { "properties": { @@ -58,11 +110,23 @@ }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state_message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "vlan": { "type": "long" @@ -73,15 +137,33 @@ "properties": { "endpoint": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "named_pipe": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "operation": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rtt": { "type": "long" @@ -100,7 +182,13 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "requested": { "type": "ip" @@ -112,32 +200,68 @@ }, "client_fqdn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duration": { "type": "double" }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "id": { "properties": { "circuit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "remote_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subscriber": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -148,18 +272,36 @@ "properties": { "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "origin": { "type": "ip" }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -167,11 +309,23 @@ "properties": { "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -183,11 +337,23 @@ "properties": { "reply": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -215,32 +381,62 @@ }, "answers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "qclass": { "type": "long" }, "qclass_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "qtype": { "type": "long" }, "qtype_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "query": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rcode": { "type": "long" }, "rcode_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rejected": { "type": "boolean" @@ -262,7 +458,13 @@ }, "trans_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -270,15 +472,33 @@ "properties": { "analyzer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "failure_reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "packet_segment": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -286,7 +506,13 @@ "properties": { "analyzers": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "depth": { "type": "long" @@ -299,7 +525,13 @@ }, "extracted": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "extracted_cutoff": { "type": "boolean" @@ -309,11 +541,23 @@ }, "filename": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_orig": { "type": "boolean" @@ -323,11 +567,23 @@ }, "md5": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "missing_bytes": { "type": "long" @@ -337,7 +593,13 @@ }, "parent_fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rx_host": { "type": "ip" @@ -347,19 +609,43 @@ }, "session_ids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha1": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sha256": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "timedout": { "type": "boolean" @@ -376,7 +662,13 @@ "properties": { "arg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "capture_password": { "type": "boolean" @@ -385,11 +677,23 @@ "properties": { "arg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cmd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "seq": { "type": "long" @@ -398,11 +702,23 @@ }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cwd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "data_channel": { "properties": { @@ -424,11 +740,23 @@ "properties": { "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "size": { "type": "long" @@ -437,14 +765,26 @@ }, "last_auth_requested": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "passive": { "type": "boolean" }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "pending_commands": { "type": "long" @@ -456,13 +796,25 @@ }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -473,67 +825,145 @@ }, "client_header_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "info_code": { "type": "long" }, "info_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "orig_filenames": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "orig_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "orig_mime_depth": { "type": "long" }, "orig_mime_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "proxied": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "range_request": { "type": "boolean" }, "resp_filenames": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resp_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resp_mime_depth": { "type": "long" }, "resp_mime_types": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "server_header_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "trans_depth": { "type": "long" @@ -544,62 +974,140 @@ "properties": { "file_desc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file_mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "matched": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "seen": { "properties": { "conn": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "f": { "type": "object" }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicator": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "indicator_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "node": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "where": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "sources": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -607,11 +1115,23 @@ "properties": { "addl": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dcc": { "properties": { @@ -619,7 +1139,13 @@ "properties": { "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "size": { "type": "long" @@ -628,25 +1154,55 @@ }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "nick": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -658,15 +1214,33 @@ "properties": { "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -674,15 +1248,33 @@ "properties": { "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "value": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -690,11 +1282,23 @@ }, "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "error": { "properties": { @@ -703,7 +1307,13 @@ }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -715,11 +1325,23 @@ }, "request_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "success": { "type": "boolean" @@ -728,11 +1350,23 @@ "properties": { "auth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "new": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -755,11 +1389,23 @@ "properties": { "exception": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "function": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "track_address": { "type": "long" @@ -770,15 +1416,33 @@ "properties": { "arg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cmd": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "response": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "rows": { "type": "long" @@ -792,22 +1456,46 @@ "properties": { "actions": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "connection_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "dropped": { "type": "boolean" }, "email_body_sections": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email_delay_tokens": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "false": { "type": "long" @@ -823,14 +1511,26 @@ "properties": { "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_orig": { "type": "boolean" }, "mime_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "missing_bytes": { "type": "long" @@ -840,48 +1540,108 @@ }, "parent_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "seen_bytes": { "type": "long" }, "source": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "fuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "icmp_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identifier": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "note": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "peer_descr": { "norms": false, - "type": "text" + "type": "text", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "peer_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "suppress_for": { "type": "double" @@ -892,11 +1652,23 @@ "properties": { "domain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hostname": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "server": { "properties": { @@ -904,15 +1676,33 @@ "properties": { "dns": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "netbios": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tree": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -923,7 +1713,13 @@ }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -949,7 +1745,13 @@ }, "ref_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ref_time": { "type": "date" @@ -975,23 +1777,47 @@ "properties": { "file_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "hash": { "properties": { "algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1001,7 +1827,13 @@ "properties": { "reason": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "time": { "type": "date" @@ -1010,11 +1842,23 @@ }, "serial_number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "update": { "properties": { @@ -1032,7 +1876,13 @@ "properties": { "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "compile_time": { "type": "date" @@ -1051,7 +1901,13 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_64bit": { "type": "boolean" @@ -1061,19 +1917,43 @@ }, "machine": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "os": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "section_names": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subsystem": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uses_aslr": { "type": "boolean" @@ -1093,7 +1973,13 @@ "properties": { "connect_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "framed_addr": { "type": "ip" @@ -1103,25 +1989,49 @@ }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "remote_ip": { "type": "ip" }, "reply_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ttl": { "type": "long" }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1137,7 +2047,13 @@ }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1145,27 +2061,57 @@ "properties": { "build": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "product_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "cookie": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "desktop": { "properties": { "color_depth": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "height": { "type": "long" @@ -1182,25 +2128,55 @@ "properties": { "level": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "keyboard_layout": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "result": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "security_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ssl": { "type": "boolean" @@ -1213,7 +2189,13 @@ "properties": { "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "success": { "type": "boolean" @@ -1222,7 +2204,13 @@ }, "desktop_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "height": { "type": "long" @@ -1236,11 +2224,23 @@ "properties": { "major": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "minor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1248,11 +2248,23 @@ "properties": { "major": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "minor": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1265,31 +2277,61 @@ }, "session_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature": { "properties": { "event_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host_count": { "type": "long" }, "note": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sig_count": { "type": "long" }, "sig_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub_msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1297,19 +2339,43 @@ "properties": { "call_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "content_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "date": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reply_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request": { "properties": { @@ -1318,15 +2384,33 @@ }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1337,15 +2421,33 @@ }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1353,11 +2455,23 @@ "properties": { "method": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "number": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1368,28 +2482,58 @@ }, "msg": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transaction_depth": { "type": "long" }, "uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "warning": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1397,17 +2541,35 @@ "properties": { "argument": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "file": { "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host": { "properties": { @@ -1421,11 +2583,23 @@ }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "uid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1434,34 +2608,76 @@ }, "smb1_offered_dialects": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "smb2_offered_dialects": { "type": "long" }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "sub_command": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tree": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tree_service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "username": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1469,22 +2685,46 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fid": { "type": "long" }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "previous_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "size": { "type": "long" @@ -1507,7 +2747,13 @@ }, "uuid": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1515,19 +2761,43 @@ "properties": { "native_file_system": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "service": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "share_type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1535,48 +2805,102 @@ "properties": { "cc": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "date": { "type": "date" }, "first_received": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "has_client_activity": { "type": "boolean" }, "helo": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "in_reply_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "is_webmail": { "type": "boolean" }, "last_reply": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mail_from": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "msg_id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "path": { "type": "ip" @@ -1586,37 +2910,79 @@ }, "rcpt_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reply_to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "second_received": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "tls": { "type": "boolean" }, "to": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "transaction_depth": { "type": "long" }, "user_agent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "x_originating_ip": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1624,11 +2990,23 @@ "properties": { "community": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "display_string": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "duration": { "type": "double" @@ -1658,7 +3036,13 @@ }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1668,7 +3052,13 @@ "properties": { "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "port": { "type": "long" @@ -1680,13 +3070,25 @@ }, "password": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "request": { "properties": { "host": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "port": { "type": "long" @@ -1695,11 +3097,23 @@ }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "user": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "type": "long" @@ -1712,23 +3126,53 @@ "properties": { "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "compression": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host_key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "key_exchange": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "mac": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1744,19 +3188,43 @@ }, "client": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "direction": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "host_key": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "server": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "version": { "type": "long" @@ -1767,43 +3235,97 @@ "properties": { "cipher": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "client": { "properties": { "cert_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cert_chain_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -1811,27 +3333,63 @@ "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1839,18 +3397,36 @@ }, "curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "established": { "type": "boolean" }, "last_alert": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "next_protocol": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "resumed": { "type": "boolean" @@ -1859,69 +3435,159 @@ "properties": { "cert_chain": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "cert_chain_fuids": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } @@ -1931,17 +3597,35 @@ "properties": { "code": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "status": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "version": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -2036,7 +3720,13 @@ }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "reassembly_size": { "properties": { @@ -2073,15 +3763,33 @@ "properties": { "facility": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "message": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "severity": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -2089,11 +3797,23 @@ "properties": { "action": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -2101,22 +3821,46 @@ "properties": { "additional_info": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "identifier": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "notice": { "type": "boolean" }, "peer": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -2136,41 +3880,95 @@ "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "curve": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "exponent": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "issuer": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -2178,50 +3976,110 @@ "properties": { "algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "length": { "type": "long" }, "type": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, "serial": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "signature_algorithm": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "subject": { "properties": { "common_name": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "country": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "locality": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organization": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "organizational_unit": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "state": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } }, @@ -2242,7 +4100,13 @@ }, "id": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "log_cert": { "type": "boolean" @@ -2251,11 +4115,23 @@ "properties": { "dns": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "email": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } }, "ip": { "type": "ip" @@ -2265,7 +4141,13 @@ }, "uri": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword", + "fields": { + "security": { + "type": "text", + "analyzer": "es_security_analyzer" + } + } } } } From d89af5f04f4a897ef4335e4029a8e04580cb7103 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:25:14 +0000 Subject: [PATCH 02/10] Update agent mappings to include .security --- .../component/so/dtc-agent-mappings.json | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json index a0ec531a7..41072387a 100644 --- a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -24,10 +25,11 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -36,10 +38,11 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -48,10 +51,11 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -60,10 +64,11 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } From 0b45cf7ae1e42a3b7071277e6ac637afdbb18171 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:25:57 +0000 Subject: [PATCH 03/10] Update base mappings to include .security --- .../templates/component/so/dtc-base-mappings.json | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json index aa89e8876..8211dc2e2 100644 --- a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json @@ -9,8 +9,9 @@ "message": { "type": "match_only_text", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -21,10 +22,11 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } From aae2fd1fbb82a98ed5cb95b3dba9954c543f6791 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:27:15 +0000 Subject: [PATCH 04/10] Update DNS mappings to include .security --- .../templates/component/so/dtc-dns-mappings.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json index ba60fb6a9..c4be8249e 100644 --- a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json @@ -14,8 +14,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" From 496b1612536407bcb9849ff16ba2a1f2dd0eabe5 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:27:36 +0000 Subject: [PATCH 05/10] Update ECS mappings to include .security --- .../templates/component/so/dtc-ecs-mappings.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json index 347b9b5a8..de012d3fd 100644 --- a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json @@ -12,10 +12,11 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } From e925d435ff677f015403e599f2e68dd7fe9a3a22 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:33:52 +0000 Subject: [PATCH 06/10] Update event, file, and host mappings to include .security --- .../templates/component/so/dtc-event-mappings | 137 ------------------ .../component/so/dtc-event-mappings.json | 40 +++-- .../component/so/dtc-file-mappings.json | 10 +- .../component/so/dtc-host-mappings.json | 10 +- 4 files changed, 36 insertions(+), 161 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/so/dtc-event-mappings diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings b/salt/elasticsearch/templates/component/so/dtc-event-mappings deleted file mode 100644 index 8a026308b..000000000 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings +++ /dev/null @@ -1,137 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index d0c2227ba..dfb7f3467 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -23,8 +24,9 @@ "created": { "type": "date", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -35,8 +37,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -46,8 +49,9 @@ "ingested": { "type": "date", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -58,8 +62,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -70,8 +75,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -82,8 +88,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -94,8 +101,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index 0698dd978..cd0edcda8 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -24,8 +25,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index 79a4eb682..599ad55c3 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -24,8 +25,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "match_only_text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" From 27c8eaa630326d8d3827b84c79f1fc4ea84a68dc Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:39:23 +0000 Subject: [PATCH 07/10] Update all other mappings for .security where applicable --- .../component/so/dtc-http-mappings.json | 8 +- .../component/so/dtc-network-mappings.json | 10 +- .../component/so/dtc-observer-mappings | 219 ------------------ .../component/so/dtc-observer-mappings.json | 5 +- .../component/so/dtc-process-mappings.json | 5 +- .../component/so/dtc-rule-mappings.json | 10 +- .../component/so/dtc-service-mappings.json | 10 +- .../component/so/dtc-user-mappings.json | 5 +- .../component/so/dtc-user_agent-mappings.json | 5 +- 9 files changed, 35 insertions(+), 242 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/so/dtc-observer-mappings diff --git a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json index d51ebe195..8e705c260 100644 --- a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json @@ -14,8 +14,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +28,8 @@ "type": "keyword", "fields": { "text": { - "type": "match_only_text" + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json index f8adccf28..755426356 100644 --- a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -24,8 +25,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings b/salt/elasticsearch/templates/component/so/dtc-observer-mappings deleted file mode 100644 index 1168cd100..000000000 --- a/salt/elasticsearch/templates/component/so/dtc-observer-mappings +++ /dev/null @@ -1,219 +0,0 @@ -{ - "_meta": { - "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html", - "ecs_version": "1.12.2" - }, - "template": { - "mappings": { - "properties": { - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "type": "match_only_text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json index 181496fe4..1b6219cc7 100644 --- a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index f0bf6c70b..8160f70c3 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -10,8 +10,9 @@ "properties": { "command_line": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json index 0d0bd8bd8..2e9b4de16 100644 --- a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -24,8 +25,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json index 7c76cc2db..d5f30f602 100644 --- a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json @@ -12,8 +12,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -24,8 +25,9 @@ "ignore_above": 1024, "type": "keyword", "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json index 92ef1e0df..1e51822ee 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -10,8 +10,9 @@ "properties": { "name": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json index 07f980203..a7d9c610e 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json @@ -10,8 +10,9 @@ "properties": { "original": { "fields": { - "text": { - "type": "match_only_text" + "security": { + "type": "text", + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" From ed620b93b7c21641f9ecb4d12a7b475899c662dd Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 14:43:19 +0000 Subject: [PATCH 08/10] Add custom analyzer definition to all SO/DTC mappings --- .../templates/component/so/case-mappings.json | 456 ++++++++++-------- .../templates/component/so/case-settings.json | 120 ++--- .../component/so/common-dynamic-mappings.json | 142 ++++-- .../component/so/common-settings.json | 120 ++--- .../component/so/dtc-agent-mappings.json | 50 +- .../component/so/dtc-base-mappings.json | 42 +- .../component/so/dtc-dns-mappings.json | 42 +- .../component/so/dtc-ecs-mappings.json | 42 +- .../component/so/dtc-event-mappings.json | 56 ++- .../component/so/dtc-file-mappings.json | 44 +- .../component/so/dtc-host-mappings.json | 44 +- .../component/so/dtc-http-mappings.json | 44 +- .../component/so/dtc-network-mappings.json | 44 +- .../component/so/dtc-observer-mappings.json | 42 +- .../component/so/dtc-process-mappings.json | 42 +- .../component/so/dtc-rule-mappings.json | 44 +- .../component/so/dtc-service-mappings.json | 44 +- .../component/so/dtc-user-mappings.json | 42 +- .../component/so/dtc-user_agent-mappings.json | 42 +- .../component/so/endgame-mappings.json | 138 ++++-- .../so/pb-override-destination-mappings.json | 40 ++ .../so/pb-override-source-mappings.json | 41 +- .../component/so/so-file-mappings.json | 42 +- .../component/so/so-rule-mappings.json | 54 ++- .../component/so/so-scan-mappings.json | 76 ++- 25 files changed, 1406 insertions(+), 487 deletions(-) diff --git a/salt/elasticsearch/templates/component/so/case-mappings.json b/salt/elasticsearch/templates/component/so/case-mappings.json index aef586459..5137b6c3a 100644 --- a/salt/elasticsearch/templates/component/so/case-mappings.json +++ b/salt/elasticsearch/templates/component/so/case-mappings.json @@ -1,213 +1,253 @@ - { - "template": { - "mappings": { - "properties": { - "so_audit_doc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "so_related": { - "properties": { - "createTime": { - "type": "date" - }, - "caseId": { - "ignore_above": 1024, - "type": "keyword" - }, - "fields": { - "eager_global_ordinals": false, - "ignore_above": 1024, - "index": true, - "type": "flattened", - "index_options": "docs", - "split_queries_on_whitespace": false, - "doc_values": true - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "so_artifactstream": { - "properties": { - "createTime": { - "type": "date" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - }, - "content": { - "type": "text" - } - } - }, - "so_comment": { - "properties": { - "createTime": { - "type": "date" - }, - "caseId": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "type": "text" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "so_kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "so_operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "so_case": { - "properties": { - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "template": { - "ignore_above": 1024, - "type": "keyword" - }, - "completeTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "priority": { - "type": "long" - }, - "title": { - "type": "text" - }, - "assigneeId": { - "ignore_above": 1024, - "type": "keyword" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "createTime": { - "type": "date" - }, - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "startTime": { - "type": "date" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "pap": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "so_artifact": { - "properties": { - "artifactType": { - "ignore_above": 1024, - "type": "keyword" - }, - "groupType": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "streamId": { - "ignore_above": 1024, - "type": "keyword" - }, - "groupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "streamLength": { - "type": "long" - }, - "description": { - "type": "text" - }, - "mimeType": { - "ignore_above": 1024, - "type": "keyword" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "createTime": { - "type": "date" - }, - "caseId": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "ioc": { - "type": "boolean" - }, - "value": { - "type": "text", - "fields": { - "keyword": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "so_audit_doc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_related": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "eager_global_ordinals": false, + "ignore_above": 1024, + "index": true, + "type": "flattened", + "index_options": "docs", + "split_queries_on_whitespace": false, + "doc_values": true + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" } } }, - "_meta": { - "ecs_version": "1.12.2" + "@timestamp": { + "type": "date" + }, + "so_artifactstream": { + "properties": { + "createTime": { + "type": "date" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "type": "text" + } + } + }, + "so_comment": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "text" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_case": { + "properties": { + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "template": { + "ignore_above": 1024, + "type": "keyword" + }, + "completeTime": { + "type": "date" + }, + "description": { + "type": "text" + }, + "priority": { + "type": "long" + }, + "title": { + "type": "text" + }, + "assigneeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "pap": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_artifact": { + "properties": { + "artifactType": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamId": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamLength": { + "type": "long" + }, + "description": { + "type": "text" + }, + "mimeType": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "type": "boolean" + }, + "value": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } } diff --git a/salt/elasticsearch/templates/component/so/case-settings.json b/salt/elasticsearch/templates/component/so/case-settings.json index 3a4429926..46c3cdeb9 100644 --- a/salt/elasticsearch/templates/component/so/case-settings.json +++ b/salt/elasticsearch/templates/component/so/case-settings.json @@ -1,65 +1,65 @@ { - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "require": { - "box_type": "hot" - } - } - }, - "mapping": { - "total_fields": { - "limit": "3000" - } - }, - "refresh_interval": "30s", - "analysis": { - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": "true", - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "char_filter": { - "whitespace_no_way": { - "pattern": "(\\s)+", - "type": "pattern_replace", - "replacement": "$1" - } - }, - "analyzer": { - "es_security_analyzer": { - "filter": [ - "lowercase", - "trim" - ], - "char_filter": [ - "whitespace_no_way" - ], - "type": "custom", - "tokenizer": "keyword" - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "number_of_shards": "1", - "number_of_replicas": "0" + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" } } }, - "version": 1, - "_meta": { - "description": "default settings for common Security Onion Cases indices" - } + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion Cases indices" + } } diff --git a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json index 7ae4ae86c..bb072133a 100644 --- a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json +++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json @@ -1,56 +1,96 @@ { - "template": { - "mappings": { - "dynamic_templates": [ - { - "ip_address": { - "path_match": "*.ip", - "mapping": { - "type": "ip", - "fields": { - "keyword": { - "ignore_above": 45, - "type": "keyword" - } - } - }, - "match_mapping_type": "string" - } - }, - { - "port": { - "path_match": "*.port", - "path_unmatch": "*.data.port", - "mapping": { - "type": "integer", - "fields": { - "keyword": { - "ignore_above": 6, - "type": "keyword" - } - } - } - } - }, - { - "strings": { - "mapping": { - "type": "text", - "fields": { - "security": { - "analyzer": "es_security_analyzer", - "type": "text" - }, - "keyword": { - "ignore_above": 32765, - "type": "keyword" - } - } - }, - "match_mapping_type": "string" - } - } + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" ] } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } } + } + }, + "mappings": { + "dynamic_templates": [ + { + "ip_address": { + "path_match": "*.ip", + "mapping": { + "type": "ip", + "fields": { + "keyword": { + "ignore_above": 45, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + }, + { + "port": { + "path_match": "*.port", + "path_unmatch": "*.data.port", + "mapping": { + "type": "integer", + "fields": { + "keyword": { + "ignore_above": 6, + "type": "keyword" + } + } + } + } + }, + { + "strings": { + "mapping": { + "type": "text", + "fields": { + "security": { + "analyzer": "es_security_analyzer", + "type": "text" + }, + "keyword": { + "ignore_above": 32765, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + } + ] + } + } } diff --git a/salt/elasticsearch/templates/component/so/common-settings.json b/salt/elasticsearch/templates/component/so/common-settings.json index 729ba3388..7d60192c3 100644 --- a/salt/elasticsearch/templates/component/so/common-settings.json +++ b/salt/elasticsearch/templates/component/so/common-settings.json @@ -1,65 +1,65 @@ { - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "require": { - "box_type": "hot" - } - } - }, - "mapping": { - "total_fields": { - "limit": "3000" - } - }, - "refresh_interval": "30s", - "analysis": { - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": "true", - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "char_filter": { - "whitespace_no_way": { - "pattern": "(\\s)+", - "type": "pattern_replace", - "replacement": "$1" - } - }, - "analyzer": { - "es_security_analyzer": { - "filter": [ - "lowercase", - "trim" - ], - "char_filter": [ - "whitespace_no_way" - ], - "type": "custom", - "tokenizer": "keyword" - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "number_of_shards": "1", - "number_of_replicas": "0" + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" } } }, - "version": 1, - "_meta": { - "description": "default settings for common Security Onion indices" - } + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion indices" + } } diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json index 41072387a..871bdcc05 100644 --- a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "agent": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -29,7 +69,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -42,7 +82,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -55,7 +95,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -68,7 +108,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json index 8211dc2e2..0bc940e66 100644 --- a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "message": { @@ -26,7 +66,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json index c4be8249e..56a529bf2 100644 --- a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "dns": { @@ -16,7 +56,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json index de012d3fd..549385123 100644 --- a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "ecs": { @@ -16,7 +56,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index dfb7f3467..a64a30a26 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "event": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -26,7 +66,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -39,7 +79,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -51,7 +91,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -64,7 +104,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -77,7 +117,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -90,7 +130,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -103,7 +143,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index cd0edcda8..c58ae77ab 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "file": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index 599ad55c3..b7645acdf 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "host": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "match_only_text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json index 8e705c260..05c9681ce 100644 --- a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "http": { @@ -16,7 +56,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -29,7 +69,7 @@ "fields": { "text": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json index 755426356..daa1521c5 100644 --- a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "network": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json index 1b6219cc7..be1c05510 100644 --- a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "observer": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index 8160f70c3..a70df5c77 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "process": { @@ -12,7 +52,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json index 2e9b4de16..797f51a86 100644 --- a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "rule": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json index d5f30f602..0e82f6698 100644 --- a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "service": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json index 1e51822ee..d0162d675 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "user": { @@ -12,7 +52,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json index a7d9c610e..ec5a58e3a 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "user_agent": { @@ -12,7 +52,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/endgame-mappings.json b/salt/elasticsearch/templates/component/so/endgame-mappings.json index d32fb962d..6a8adfa5d 100644 --- a/salt/elasticsearch/templates/component/so/endgame-mappings.json +++ b/salt/elasticsearch/templates/component/so/endgame-mappings.json @@ -1,53 +1,93 @@ - { - "template": { - "mappings": { - "properties": { - "endgame": { - "dynamic": false, - "properties": { - "data": { - "properties": { - "malware_classification": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "quarantine_result": { - "properties": { - "local_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "event_subtype_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" } }, - "_meta": { - "ecs_version": "1.12.2" + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } } + } + }, + "mappings": { + "properties": { + "endgame": { + "dynamic": false, + "properties": { + "data": { + "properties": { + "malware_classification": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "quarantine_result": { + "properties": { + "local_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event_subtype_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } } diff --git a/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json b/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json index 8e3ab45f3..68f69500d 100644 --- a/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json +++ b/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "destination": { diff --git a/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json b/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json index 55f105b8c..947daf0b7 100644 --- a/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json +++ b/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "source": { @@ -30,4 +70,3 @@ } } } - diff --git a/salt/elasticsearch/templates/component/so/so-file-mappings.json b/salt/elasticsearch/templates/component/so/so-file-mappings.json index 1b87b0915..3f1188234 100644 --- a/salt/elasticsearch/templates/component/so/so-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-file-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "file": { @@ -15,7 +55,7 @@ "type": "keyword", "fields": { "keyword": { - "type": "keyword" + "type": "keyword" } } } diff --git a/salt/elasticsearch/templates/component/so/so-rule-mappings.json b/salt/elasticsearch/templates/component/so/so-rule-mappings.json index 00cea1bfe..3e792f17b 100644 --- a/salt/elasticsearch/templates/component/so/so-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-rule-mappings.json @@ -4,15 +4,55 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { - "rule":{ - "properties":{ - "score":{ - "type":"long" - } - } - } + "rule": { + "properties": { + "score": { + "type": "long" + } + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json index 00d10f73b..23e6142fc 100644 --- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -4,27 +4,67 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { - "scan":{ - "type":"object", - "properties":{ - "exiftool":{ - "type":"text" - }, - "pe":{ - "properties":{ - "sections":{ - "properties":{ - "entropy":{ + "scan": { + "type": "object", + "properties": { + "exiftool": { + "type": "text" + }, + "pe": { + "properties": { + "sections": { + "properties": { + "entropy": { "type": "float" - } - } - } - } - } - } - } + } + } + } + } + } + } + } } } } From ab9b81ea3991689e1f26c1a81fb66988b21b3c25 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 2 Mar 2022 15:01:05 +0000 Subject: [PATCH 09/10] Change match_only_text to text for mac in host mappings --- .../elasticsearch/templates/component/so/dtc-host-mappings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index b7645acdf..02095b004 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -66,7 +66,7 @@ "type": "keyword", "fields": { "security": { - "type": "match_only_text", + "type": "text", "analyzer": "es_security_analyzer" }, "keyword": { From 2ba72791aa56bc714fa3ff066305061fb23cd976 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 2 Mar 2022 10:31:15 -0500 Subject: [PATCH 10/10] Remove sigma regen cron --- salt/playbook/init.sls | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index 2decc6134..e437ae350 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -109,14 +109,7 @@ so-playbookruleupdatecron: - user: root - minute: '1' - hour: '6' - -so-playbookregencron: - cron.present: - - name: /usr/sbin/so-playbook-sigma-refresh > /opt/so/log/playbook/regen.log 2>&1 - - user: root - - minute: '55' - - hour: '23' - + {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} idh-plays: file.recurse: