CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-24 21:47:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #7396 from Security-Onion-Solutions/fix/dot_security

Browse Source 
Revert back to usage of .security field
This commit is contained in:
weslambert
2022-03-02 10:42:29 -05:00
committed by GitHub
parent 93386f4620 2ba72791aa
commit b80e82aaf6
89 changed files with 26824 additions and 4280 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/elasticsearch/templates/component/ecs/agent.json
+83 -7
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"agent": { "agent": {
@@ -12,33 +52,69 @@
"properties": { "properties": {
"original": { "original": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"ephemeral_id": { "ephemeral_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/aws.json
+640 -96
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/azure.json
+838 -114
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/base.json
+48 -2
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"@timestamp": { "@timestamp": {
@@ -17,9 +57,15 @@
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/cef.json
+1076 -148
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/checkpoint.json
+2371 -333
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/cisco.json
+747 -101
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/client.json
+218 -31
View File
@@ -4,13 +4,59 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"client": { "client": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -21,8 +67,9 @@
"properties": { "properties": {
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -37,52 +84,118 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -91,7 +204,13 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -111,30 +230,61 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -144,30 +294,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -175,7 +356,13 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -184,4 +371,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/cloud.json
+118 -12
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"cloud": { "cloud": {
@@ -12,27 +52,57 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"availability_zone": { "availability_zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"instance": { "instance": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -40,7 +110,13 @@
"properties": { "properties": {
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -48,27 +124,57 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"provider": { "provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region": { "region": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"service": { "service": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -77,4 +183,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/container.json
+76 -6
View File
@@ -4,23 +4,81 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"container": { "container": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"image": { "image": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tag": { "tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -29,15 +87,27 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"runtime": { "runtime": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/cyberark.json
+481 -63
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"cyberarkpas": { "cyberarkpas": {
@@ -12,241 +52,565 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ca_properties": { "ca_properties": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpm_disabled": { "cpm_disabled": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpm_error_details": { "cpm_error_details": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpm_status": { "cpm_status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"creation_method": { "creation_method": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"customer": { "customer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"database": { "database": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"device_type": { "device_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dual_account_status": { "dual_account_status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"group_name": { "group_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"in_process": { "in_process": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"index": { "index": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_fail_date": { "last_fail_date": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_success_change": { "last_success_change": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_success_reconciliation": { "last_success_reconciliation": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_success_verification": { "last_success_verification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_task": { "last_task": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logon_domain": { "logon_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"other": { "other": {
"type": "flattened" "type": "flattened"
}, },
"policy_id": { "policy_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"port": { "port": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"privcloud": { "privcloud": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reset_immediately": { "reset_immediately": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"retries_count": { "retries_count": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sequence_id": { "sequence_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user_dn": { "user_dn": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user_name": { "user_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_username": { "virtual_username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"desc": { "desc": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"extra_details": { "extra_details": {
"properties": { "properties": {
"ad_process_id": { "ad_process_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ad_process_name": { "ad_process_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_type": { "application_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"command": { "command": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"connection_component_id": { "connection_component_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dst_host": { "dst_host": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logon_account": { "logon_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"managed_account": { "managed_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"other": { "other": {
"type": "flattened" "type": "flattened"
}, },
"process_id": { "process_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"process_name": { "process_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"psmid": { "psmid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_duration": { "session_duration": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_id": { "session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_host": { "src_host": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"username": { "username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"file": { "file": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"gateway_station": { "gateway_station": {
"type": "ip" "type": "ip"
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"iso_timestamp": { "iso_timestamp": {
"type": "date" "type": "date"
}, },
"issuer": { "issuer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"doc_values": false, "doc_values": false,
"ignore_above": 4096, "ignore_above": 4096,
"index": false, "index": false,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message": { "message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message_id": { "message_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pvwa_details": { "pvwa_details": {
"type": "flattened" "type": "flattened"
@@ -255,45 +619,99 @@
"doc_values": false, "doc_values": false,
"ignore_above": 4096, "ignore_above": 4096,
"index": false, "index": false,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reason": { "reason": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rfc5424": { "rfc5424": {
"type": "boolean" "type": "boolean"
}, },
"safe": { "safe": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_user": { "source_user": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"station": { "station": {
"type": "ip" "type": "ip"
}, },
"target_user": { "target_user": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vendor": { "vendor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/data_stream.json
+41 -1
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"data_stream": { "data_stream": {
@@ -22,4 +62,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/destination.json
+218 -31
View File
@@ -4,13 +4,59 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"destination": { "destination": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -21,8 +67,9 @@
"properties": { "properties": {
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -37,52 +84,118 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -91,7 +204,13 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -111,30 +230,61 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -144,30 +294,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -175,7 +356,13 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -184,4 +371,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/dll.json
+174 -20
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dll": { "dll": {
@@ -12,26 +52,56 @@
"properties": { "properties": {
"digest_algorithm": { "digest_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"exists": { "exists": {
"type": "boolean" "type": "boolean"
}, },
"signing_id": { "signing_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject_name": { "subject_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"team_id": { "team_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
@@ -48,63 +118,147 @@
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha512": { "sha512": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ssdeep": { "ssdeep": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pe": { "pe": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"company": { "company": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_version": { "file_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"imphash": { "imphash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original_file_name": { "original_file_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -113,4 +267,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/dns.json
+146 -16
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dns": { "dns": {
@@ -12,63 +52,141 @@
"properties": { "properties": {
"class": { "class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"data": { "data": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ttl": { "ttl": {
"type": "long" "type": "long"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
}, },
"header_flags": { "header_flags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"op_code": { "op_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"question": { "question": {
"properties": { "properties": {
"class": { "class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -77,15 +195,27 @@
}, },
"response_code": { "response_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/ecs.json
+48 -2
View File
@@ -4,17 +4,63 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"ecs": { "ecs": {
"properties": { "properties": {
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/elasticsearch.json
+48 -2
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"@timestamp": { "@timestamp": {
@@ -17,9 +57,15 @@
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/error.json
+66 -4
View File
@@ -4,23 +4,79 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"error": { "error": {
"properties": { "properties": {
"code": { "code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message": { "message": {
"type": "match_only_text" "type": "match_only_text"
}, },
"stack_trace": { "stack_trace": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -29,11 +85,17 @@
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/event.json
+160 -18
View File
@@ -4,32 +4,102 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"event": { "event": {
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"agent_id_status": { "agent_id_status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"code": { "code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"created": { "created": {
"type": "date" "type": "date"
}, },
"dataset": { "dataset": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"duration": { "duration": {
"type": "long" "type": "long"
@@ -39,43 +109,97 @@
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ingested": { "ingested": {
"type": "date" "type": "date"
}, },
"kind": { "kind": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"module": { "module": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original": { "original": {
"doc_values": false, "doc_values": false,
"index": false, "index": false,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"outcome": { "outcome": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"provider": { "provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"risk_score": { "risk_score": {
"type": "float" "type": "float"
@@ -94,19 +218,37 @@
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/file.json
+537 -75
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
@@ -13,32 +53,68 @@
}, },
"attributes": { "attributes": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"code_signature": { "code_signature": {
"properties": { "properties": {
"digest_algorithm": { "digest_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"exists": { "exists": {
"type": "boolean" "type": "boolean"
}, },
"signing_id": { "signing_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject_name": { "subject_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"team_id": { "team_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
@@ -59,29 +135,65 @@
}, },
"device": { "device": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"directory": { "directory": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"drive_letter": { "drive_letter": {
"ignore_above": 1, "ignore_above": 1,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"elf": { "elf": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"byte_order": { "byte_order": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpu_type": { "cpu_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"creation_date": { "creation_date": {
"type": "date" "type": "date"
@@ -93,34 +205,76 @@
"properties": { "properties": {
"abi_version": { "abi_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"class": { "class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"data": { "data": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"entrypoint": { "entrypoint": {
"type": "long" "type": "long"
}, },
"object_version": { "object_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os_abi": { "os_abi": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -137,22 +291,46 @@
}, },
"flags": { "flags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"physical_offset": { "physical_offset": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"physical_size": { "physical_size": {
"type": "long" "type": "long"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_address": { "virtual_address": {
"type": "long" "type": "long"
@@ -167,92 +345,201 @@
"properties": { "properties": {
"sections": { "sections": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "nested" "type": "nested"
}, },
"shared_libraries": { "shared_libraries": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"telfhash": { "telfhash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"extension": { "extension": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"fork_name": { "fork_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"gid": { "gid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"group": { "group": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hash": { "hash": {
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha512": { "sha512": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ssdeep": { "ssdeep": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"inode": { "inode": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mime_type": { "mime_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mode": { "mode": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mtime": { "mtime": {
"type": "date" "type": "date"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"owner": { "owner": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -262,31 +549,73 @@
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"company": { "company": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_version": { "file_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"imphash": { "imphash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original_file_name": { "original_file_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -295,8 +624,9 @@
}, },
"target_path": { "target_path": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -304,47 +634,107 @@
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uid": { "uid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"x509": { "x509": {
"properties": { "properties": {
"alternative_names": { "alternative_names": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuer": { "issuer": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -356,11 +746,23 @@
}, },
"public_key_algorithm": { "public_key_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_curve": { "public_key_curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_exponent": { "public_key_exponent": {
"doc_values": false, "doc_values": false,
@@ -372,47 +774,107 @@
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_algorithm": { "signature_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version_number": { "version_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -421,4 +883,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/fortinet.json
+2161 -303
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/gcp.json
+327 -41
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"gcp": { "gcp": {
@@ -14,17 +54,35 @@
"properties": { "properties": {
"authority_selector": { "authority_selector": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"principal_email": { "principal_email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"method_name": { "method_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"num_response_items": { "num_response_items": {
"type": "long" "type": "long"
@@ -33,19 +91,43 @@
"properties": { "properties": {
"filter": { "filter": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"proto_name": { "proto_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resource_name": { "resource_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -56,7 +138,13 @@
}, },
"caller_supplied_user_agent": { "caller_supplied_user_agent": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -64,13 +152,25 @@
"properties": { "properties": {
"current_locations": { "current_locations": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"resource_name": { "resource_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"response": { "response": {
"properties": { "properties": {
@@ -78,35 +178,77 @@
"properties": { "properties": {
"group": { "group": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"kind": { "kind": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uid": { "uid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"proto_name": { "proto_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"service_name": { "service_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"properties": { "properties": {
@@ -115,13 +257,25 @@
}, },
"message": { "message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -131,15 +285,33 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region": { "region": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -147,15 +319,33 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subnetwork_name": { "subnetwork_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vpc_name": { "vpc_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -167,42 +357,96 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"destination_range": { "destination_range": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"direction": { "direction": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"priority": { "priority": {
"type": "long" "type": "long"
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_range": { "source_range": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_service_account": { "source_service_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_tag": { "source_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target_service_account": { "target_service_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target_tag": { "target_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -214,15 +458,33 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region": { "region": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -230,15 +492,33 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subnetwork_name": { "subnetwork_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vpc_name": { "vpc_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -248,7 +528,13 @@
"properties": { "properties": {
"reporter": { "reporter": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rtt": { "rtt": {
"properties": { "properties": {
salt/elasticsearch/templates/component/ecs/google_workspace.json
+880 -120
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/group.json
+62 -4
View File
@@ -4,25 +4,83 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"group": { "group": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/host.json
+263 -39
View File
@@ -4,13 +4,59 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"host": { "host": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpu": { "cpu": {
"properties": { "properties": {
@@ -40,73 +86,163 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ip": { "ip": {
"type": "ip" "type": "ip"
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"network": { "network": {
"properties": { "properties": {
@@ -136,12 +272,19 @@
"properties": { "properties": {
"family": { "family": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -149,12 +292,19 @@
}, },
"kernel": { "kernel": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -162,21 +312,45 @@
}, },
"platform": { "platform": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uptime": { "uptime": {
"type": "long" "type": "long"
@@ -185,16 +359,29 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -204,30 +391,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -235,7 +453,13 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -244,4 +468,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/http.json
+91 -7
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"http": { "http": {
@@ -17,6 +57,10 @@
}, },
"content": { "content": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -30,19 +74,43 @@
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"method": { "method": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mime_type": { "mime_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"referrer": { "referrer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -55,6 +123,10 @@
}, },
"content": { "content": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -68,7 +140,13 @@
}, },
"mime_type": { "mime_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status_code": { "status_code": {
"type": "long" "type": "long"
@@ -77,11 +155,17 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/juniper.json
+530 -70
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"juniper": { "juniper": {
@@ -12,47 +52,113 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"action_detail": { "action_detail": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"alert": { "alert": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"apbr_rule_type": { "apbr_rule_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application": { "application": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_category": { "application_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_characteristics": { "application_characteristics": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_name": { "application_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_sub_category": { "application_sub_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"attack_name": { "attack_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"client_ip": { "client_ip": {
"type": "ip" "type": "ip"
@@ -62,85 +168,181 @@
}, },
"connection_tag": { "connection_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"context_hit_rate": { "context_hit_rate": {
"type": "long" "type": "long"
}, },
"context_name": { "context_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"context_value": { "context_value": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"context_value_hit_rate": { "context_value_hit_rate": {
"type": "long" "type": "long"
}, },
"ddos_application_name": { "ddos_application_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dscp_value": { "dscp_value": {
"type": "long" "type": "long"
}, },
"dst_nat_rule_name": { "dst_nat_rule_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dst_nat_rule_type": { "dst_nat_rule_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dst_vrf_grp": { "dst_vrf_grp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"elapsed_time": { "elapsed_time": {
"type": "date" "type": "date"
}, },
"encrypted": { "encrypted": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"epoch_time": { "epoch_time": {
"type": "date" "type": "date"
}, },
"error_code": { "error_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"error_message": { "error_message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"export_id": { "export_id": {
"type": "long" "type": "long"
}, },
"feed_name": { "feed_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_category": { "file_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_hash_lookup": { "file_hash_lookup": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_name": { "file_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"filename": { "filename": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"icmp_type": { "icmp_type": {
"type": "long" "type": "long"
@@ -153,39 +355,93 @@
}, },
"index": { "index": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logical_system_name": { "logical_system_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"malware_info": { "malware_info": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message": { "message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message_type": { "message_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat_connection_tag": { "nat_connection_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nested_application": { "nested_application": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"obj": { "obj": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"occur_count": { "occur_count": {
"type": "long" "type": "long"
@@ -207,7 +463,13 @@
}, },
"peer_session_id": { "peer_session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"peer_source_address": { "peer_source_address": {
"type": "ip" "type": "ip"
@@ -217,118 +479,286 @@
}, },
"policy_name": { "policy_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"process": { "process": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"profile": { "profile": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"profile_name": { "profile_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol_id": { "protocol_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol_name": { "protocol_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"repeat_count": { "repeat_count": {
"type": "long" "type": "long"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"routing_instance": { "routing_instance": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rule_name": { "rule_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ruleebase_name": { "ruleebase_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sample_sha256": { "sample_sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"secure_web_proxy_session_type": { "secure_web_proxy_session_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"service_name": { "service_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_id": { "session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_id_32": { "session_id_32": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_nat_rule_name": { "src_nat_rule_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_nat_rule_type": { "src_nat_rule_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_vrf_grp": { "src_vrf_grp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sub_category": { "sub_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tag": { "tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"temporary_filename": { "temporary_filename": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tenant_id": { "tenant_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"th": { "th": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threat_severity": { "threat_severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"time_count": { "time_count": {
"type": "long" "type": "long"
@@ -338,14 +768,26 @@
}, },
"time_scope": { "time_scope": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uplink_rx_bytes": { "uplink_rx_bytes": {
"type": "long" "type": "long"
@@ -355,18 +797,36 @@
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"username": { "username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"verdict_number": { "verdict_number": {
"type": "long" "type": "long"
}, },
"verdict_source": { "verdict_source": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/kibana.json
+124 -12
View File
@@ -4,29 +4,99 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"kibana": { "kibana": {
"properties": { "properties": {
"add_to_spaces": { "add_to_spaces": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_provider": { "authentication_provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_realm": { "authentication_realm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_type": { "authentication_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"delete_from_spaces": { "delete_from_spaces": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"log": { "log": {
"properties": { "properties": {
@@ -35,37 +105,79 @@
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"lookup_realm": { "lookup_realm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"saved_object": { "saved_object": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"session_id": { "session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"space_id": { "space_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/log.json
+97 -9
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"log": { "log": {
@@ -12,17 +52,35 @@
"properties": { "properties": {
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"level": { "level": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logger": { "logger": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"origin": { "origin": {
"properties": { "properties": {
@@ -33,20 +91,38 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"function": { "function": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"original": { "original": {
"doc_values": false, "doc_values": false,
"index": false, "index": false,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"syslog": { "syslog": {
"properties": { "properties": {
@@ -57,7 +133,13 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -71,7 +153,13 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -83,4 +171,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/logstash.json
+94 -18
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"logstash": { "logstash": {
@@ -14,24 +54,42 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
}, },
"module": { "module": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pipeline_id": { "pipeline_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"thread": { "thread": {
"fields": { "fields": {
"text": { "security": {
"norms": false, "type": "text",
"type": "text" "analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -43,9 +101,9 @@
"properties": { "properties": {
"event": { "event": {
"fields": { "fields": {
"text": { "security": {
"norms": false, "type": "text",
"type": "text" "analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -53,17 +111,29 @@
}, },
"module": { "module": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"plugin_name": { "plugin_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"plugin_params": { "plugin_params": {
"fields": { "fields": {
"text": { "security": {
"norms": false, "type": "text",
"type": "text" "analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -74,13 +144,19 @@
}, },
"plugin_type": { "plugin_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"thread": { "thread": {
"fields": { "fields": {
"text": { "security": {
"norms": false, "type": "text",
"type": "text" "analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
salt/elasticsearch/templates/component/ecs/microsoft.json
+404 -52
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"microsoft": { "microsoft": {
@@ -12,72 +52,156 @@
"properties": { "properties": {
"assignedTo": { "assignedTo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"determination": { "determination": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"evidence": { "evidence": {
"properties": { "properties": {
"aadUserId": { "aadUserId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"accountName": { "accountName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"domainName": { "domainName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"entityType": { "entityType": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ipAddress": { "ipAddress": {
"type": "ip" "type": "ip"
}, },
"userPrincipalName": { "userPrincipalName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"incidentId": { "incidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationId": { "investigationId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationState": { "investigationState": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"lastUpdateTime": { "lastUpdateTime": {
"type": "date" "type": "date"
}, },
"rbacGroupName": { "rbacGroupName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resolvedTime": { "resolvedTime": {
"type": "date" "type": "date"
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threatFamilyName": { "threatFamilyName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -87,26 +211,56 @@
"properties": { "properties": {
"actorName": { "actorName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"assignedTo": { "assignedTo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"creationTime": { "creationTime": {
"type": "date" "type": "date"
}, },
"detectionSource": { "detectionSource": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"determination": { "determination": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"devices": { "devices": {
"type": "flattened" "type": "flattened"
@@ -115,145 +269,343 @@
"properties": { "properties": {
"accountName": { "accountName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"clusterBy": { "clusterBy": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"deliveryAction": { "deliveryAction": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"deviceId": { "deviceId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"entityType": { "entityType": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ipAddress": { "ipAddress": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mailboxAddress": { "mailboxAddress": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mailboxDisplayName": { "mailboxDisplayName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"recipient": { "recipient": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registryHive": { "registryHive": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registryKey": { "registryKey": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registryValueType": { "registryValueType": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"securityGroupId": { "securityGroupId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"securityGroupName": { "securityGroupName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sender": { "sender": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"incidentId": { "incidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationId": { "investigationId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationState": { "investigationState": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"lastUpdatedTime": { "lastUpdatedTime": {
"type": "date" "type": "date"
}, },
"mitreTechniques": { "mitreTechniques": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resolvedTime": { "resolvedTime": {
"type": "date" "type": "date"
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threatFamilyName": { "threatFamilyName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"userSid": { "userSid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"assignedTo": { "assignedTo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"determination": { "determination": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"incidentId": { "incidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"incidentName": { "incidentName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationState": { "investigationState": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"redirectIncidentId": { "redirectIncidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/misp.json
+607 -81
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"misp": { "misp": {
@@ -12,19 +52,43 @@
"properties": { "properties": {
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"kill_chain_phases": { "kill_chain_phases": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -32,29 +96,59 @@
"properties": { "properties": {
"aliases": { "aliases": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"first_seen": { "first_seen": {
"type": "date" "type": "date"
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_seen": { "last_seen": {
"type": "date" "type": "date"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"objective": { "objective": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -62,15 +156,33 @@
"properties": { "properties": {
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -78,31 +190,73 @@
"properties": { "properties": {
"contact_information": { "contact_information": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"identity_class": { "identity_class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"labels": { "labels": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sectors": { "sectors": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -110,41 +264,89 @@
"properties": { "properties": {
"aliases": { "aliases": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"first_seen": { "first_seen": {
"type": "date" "type": "date"
}, },
"goals": { "goals": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_seen": { "last_seen": {
"type": "date" "type": "date"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"primary_motivation": { "primary_motivation": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resource_level": { "resource_level": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"secondary_motivations": { "secondary_motivations": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -152,23 +354,53 @@
"properties": { "properties": {
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"kill_chain_phases": { "kill_chain_phases": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"labels": { "labels": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -176,23 +408,53 @@
"properties": { "properties": {
"authors": { "authors": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"object_refs": { "object_refs": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"summary": { "summary": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -203,7 +465,13 @@
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_observed": { "last_observed": {
"type": "date" "type": "date"
@@ -213,7 +481,13 @@
}, },
"objects": { "objects": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -221,23 +495,53 @@
"properties": { "properties": {
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"labels": { "labels": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"object_refs": { "object_refs": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"published": { "published": {
"type": "date" "type": "date"
@@ -248,51 +552,123 @@
"properties": { "properties": {
"aliases": { "aliases": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"goals": { "goals": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"labels": { "labels": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"personal_motivations": { "personal_motivations": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"primary_motivation": { "primary_motivation": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resource_level": { "resource_level": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"roles": { "roles": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"secondary_motivations": { "secondary_motivations": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sophistication": { "sophistication": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -300,66 +676,156 @@
"properties": { "properties": {
"attack_pattern": { "attack_pattern": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"attack_pattern_kql": { "attack_pattern_kql": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"campaign": { "campaign": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"confidence": { "confidence": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"feed": { "feed": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"intrusion_set": { "intrusion_set": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"kill_chain_phases": { "kill_chain_phases": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"labels": { "labels": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mitre_tactic": { "mitre_tactic": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mitre_technique": { "mitre_technique": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"negate": { "negate": {
"type": "boolean" "type": "boolean"
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threat_actor": { "threat_actor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"valid_from": { "valid_from": {
"type": "date" "type": "date"
@@ -369,7 +835,13 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -377,27 +849,63 @@
"properties": { "properties": {
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"kill_chain_phases": { "kill_chain_phases": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"labels": { "labels": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tool_version": { "tool_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -405,15 +913,33 @@
"properties": { "properties": {
"description": { "description": {
"norms": false, "norms": false,
"type": "text" "type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/netflow.json
+369 -47
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"netflow": { "netflow": {
@@ -34,26 +74,56 @@
}, },
"application_category_name": { "application_category_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_description": { "application_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_group_name": { "application_group_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_id": { "application_id": {
"type": "short" "type": "short"
}, },
"application_name": { "application_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_sub_category_name": { "application_sub_category_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"bgp_destination_as_number": { "bgp_destination_as_number": {
"type": "long" "type": "long"
@@ -84,7 +154,13 @@
}, },
"class_name": { "class_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification_engine_id": { "classification_engine_id": {
"type": "short" "type": "short"
@@ -151,7 +227,13 @@
}, },
"destination_mac_address": { "destination_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"destination_transport_port": { "destination_transport_port": {
"type": "long" "type": "long"
@@ -182,14 +264,26 @@
}, },
"dot1q_customer_destination_mac_address": { "dot1q_customer_destination_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dot1q_customer_priority": { "dot1q_customer_priority": {
"type": "short" "type": "short"
}, },
"dot1q_customer_source_mac_address": { "dot1q_customer_source_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dot1q_customer_vlan_id": { "dot1q_customer_vlan_id": {
"type": "long" "type": "long"
@@ -253,7 +347,13 @@
}, },
"encrypted_technology": { "encrypted_technology": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"engine_id": { "engine_id": {
"type": "short" "type": "short"
@@ -298,7 +398,13 @@
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_id": { "source_id": {
"type": "long" "type": "long"
@@ -466,34 +572,76 @@
}, },
"http_content_type": { "http_content_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_message_version": { "http_message_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_reason_phrase": { "http_reason_phrase": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_request_host": { "http_request_host": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_request_method": { "http_request_method": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_request_target": { "http_request_target": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_status_code": { "http_status_code": {
"type": "long" "type": "long"
}, },
"http_user_agent": { "http_user_agent": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"icmp_code_ipv4": { "icmp_code_ipv4": {
"type": "short" "type": "short"
@@ -536,7 +684,13 @@
}, },
"information_element_description": { "information_element_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"information_element_id": { "information_element_id": {
"type": "long" "type": "long"
@@ -546,7 +700,13 @@
}, },
"information_element_name": { "information_element_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"information_element_range_begin": { "information_element_range_begin": {
"type": "long" "type": "long"
@@ -589,11 +749,23 @@
}, },
"interface_description": { "interface_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"interface_name": { "interface_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"intermediate_process_id": { "intermediate_process_id": {
"type": "long" "type": "long"
@@ -741,7 +913,13 @@
}, },
"metro_evc_id": { "metro_evc_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"metro_evc_type": { "metro_evc_type": {
"type": "short" "type": "short"
@@ -754,29 +932,59 @@
}, },
"mib_context_name": { "mib_context_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_index_indicator": { "mib_index_indicator": {
"type": "long" "type": "long"
}, },
"mib_module_name": { "mib_module_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_description": { "mib_object_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_identifier": { "mib_object_identifier": {
"type": "short" "type": "short"
}, },
"mib_object_name": { "mib_object_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_syntax": { "mib_object_syntax": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_value_bits": { "mib_object_value_bits": {
"type": "short" "type": "short"
@@ -834,11 +1042,23 @@
}, },
"mobile_imsi": { "mobile_imsi": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mobile_msisdn": { "mobile_msisdn": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"monitoring_interval_end_milli_seconds": { "monitoring_interval_end_milli_seconds": {
"type": "date" "type": "date"
@@ -929,7 +1149,13 @@
}, },
"nat_pool_name": { "nat_pool_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat_quota_exceeded_event": { "nat_quota_exceeded_event": {
"type": "long" "type": "long"
@@ -963,7 +1189,13 @@
}, },
"observation_domain_name": { "observation_domain_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"observation_point_id": { "observation_point_id": {
"type": "long" "type": "long"
@@ -1021,7 +1253,13 @@
}, },
"p2p_technology": { "p2p_technology": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"packet_delta_count": { "packet_delta_count": {
"type": "long" "type": "long"
@@ -1052,7 +1290,13 @@
}, },
"post_destination_mac_address": { "post_destination_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"post_dot1q_customer_vlan_id": { "post_dot1q_customer_vlan_id": {
"type": "long" "type": "long"
@@ -1128,7 +1372,13 @@
}, },
"post_source_mac_address": { "post_source_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"post_vlan_id": { "post_vlan_id": {
"type": "long" "type": "long"
@@ -1180,7 +1430,13 @@
}, },
"sampler_name": { "sampler_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sampler_random_interval": { "sampler_random_interval": {
"type": "long" "type": "long"
@@ -1247,7 +1503,13 @@
}, },
"selector_name": { "selector_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_scope": { "session_scope": {
"type": "short" "type": "short"
@@ -1272,7 +1534,13 @@
}, },
"source_mac_address": { "source_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_transport_port": { "source_transport_port": {
"type": "long" "type": "long"
@@ -1288,7 +1556,13 @@
}, },
"sta_mac_address": { "sta_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"system_init_time_milliseconds": { "system_init_time_milliseconds": {
"type": "date" "type": "date"
@@ -1355,11 +1629,23 @@
}, },
"tunnel_technology": { "tunnel_technology": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"udp_destination_port": { "udp_destination_port": {
"type": "long" "type": "long"
@@ -1375,7 +1661,13 @@
}, },
"user_name": { "user_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"value_distribution_method": { "value_distribution_method": {
"type": "short" "type": "short"
@@ -1385,11 +1677,23 @@
}, },
"virtual_station_interface_name": { "virtual_station_interface_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_station_name": { "virtual_station_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_station_uuid": { "virtual_station_uuid": {
"type": "short" "type": "short"
@@ -1402,18 +1706,36 @@
}, },
"vr_fname": { "vr_fname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"wlan_channel_id": { "wlan_channel_id": {
"type": "short" "type": "short"
}, },
"wlan_ssid": { "wlan_ssid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"wtp_mac_address": { "wtp_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/network.json
+125 -13
View File
@@ -4,31 +4,95 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"network": { "network": {
"properties": { "properties": {
"application": { "application": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"bytes": { "bytes": {
"type": "long" "type": "long"
}, },
"community_id": { "community_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"direction": { "direction": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"forwarded_ip": { "forwarded_ip": {
"type": "ip" "type": "ip"
}, },
"iana_number": { "iana_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"inner": { "inner": {
"properties": { "properties": {
@@ -36,11 +100,23 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -49,32 +125,68 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"packets": { "packets": {
"type": "long" "type": "long"
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"transport": { "transport": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vlan": { "vlan": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -83,4 +195,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/o365.json
+649 -87
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/observer.json
+292 -40
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"observer": { "observer": {
@@ -14,15 +54,33 @@
"properties": { "properties": {
"alias": { "alias": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -30,17 +88,35 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
@@ -49,52 +125,118 @@
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ingress": { "ingress": {
"properties": { "properties": {
@@ -102,15 +244,33 @@
"properties": { "properties": {
"alias": { "alias": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -118,17 +278,35 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
@@ -138,22 +316,41 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os": { "os": {
"properties": { "properties": {
"family": { "family": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -161,12 +358,19 @@
}, },
"kernel": { "kernel": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -174,41 +378,89 @@
}, },
"platform": { "platform": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vendor": { "vendor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/okta.json
+362 -46
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"okta": { "okta": {
@@ -12,19 +52,43 @@
"properties": { "properties": {
"alternate_id": { "alternate_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"display_name": { "display_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -32,26 +96,56 @@
"properties": { "properties": {
"authentication_provider": { "authentication_provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_step": { "authentication_step": {
"type": "long" "type": "long"
}, },
"credential_provider": { "credential_provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"credential_type": { "credential_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"external_session_id": { "external_session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"interface": { "interface": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -59,11 +153,23 @@
"properties": { "properties": {
"device": { "device": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ip": { "ip": {
"type": "ip" "type": "ip"
@@ -72,21 +178,45 @@
"properties": { "properties": {
"browser": { "browser": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os": { "os": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"raw_user_agent": { "raw_user_agent": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -96,33 +226,75 @@
"properties": { "properties": {
"device_fingerprint": { "device_fingerprint": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"request_id": { "request_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"request_uri": { "request_uri": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"suspicious_activity": { "suspicious_activity": {
"properties": { "properties": {
"browser": { "browser": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_city": { "event_city": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_country": { "event_country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_id": { "event_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_ip": { "event_ip": {
"type": "ip" "type": "ip"
@@ -135,19 +307,43 @@
}, },
"event_state": { "event_state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_transaction_id": { "event_transaction_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_type": { "event_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os": { "os": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
@@ -156,11 +352,23 @@
}, },
"threat_suspected": { "threat_suspected": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -168,21 +376,45 @@
}, },
"display_message": { "display_message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_type": { "event_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"outcome": { "outcome": {
"properties": { "properties": {
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"result": { "result": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -194,22 +426,46 @@
"properties": { "properties": {
"city": { "city": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geolocation": { "geolocation": {
"type": "geo_point" "type": "geo_point"
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -218,11 +474,23 @@
}, },
"source": { "source": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -239,7 +507,13 @@
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -247,20 +521,38 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"is_proxy": { "is_proxy": {
"type": "boolean" "type": "boolean"
}, },
"isp": { "isp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target": { "target": {
"type": "flattened" "type": "flattened"
@@ -269,21 +561,45 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"uuid": { "uuid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/orchestrator.json
+104 -10
View File
@@ -4,57 +4,151 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"orchestrator": { "orchestrator": {
"properties": { "properties": {
"api_version": { "api_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cluster": { "cluster": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"namespace": { "namespace": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resource": { "resource": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/organization.json
+51 -4
View File
@@ -4,18 +4,65 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"organization": { "organization": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -26,4 +73,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/package.json
+118 -12
View File
@@ -4,63 +4,169 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"package": { "package": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"build_version": { "build_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"checksum": { "checksum": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"install_scope": { "install_scope": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"installed": { "installed": {
"type": "date" "type": "date"
}, },
"license": { "license": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"size": { "size": {
"type": "long" "type": "long"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/process.json
+605 -93
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/redis.json
+68 -4
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"redis": { "redis": {
@@ -12,7 +52,13 @@
"properties": { "properties": {
"role": { "role": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -20,11 +66,23 @@
"properties": { "properties": {
"args": { "args": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cmd": { "cmd": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"duration": { "duration": {
"properties": { "properties": {
@@ -38,7 +96,13 @@
}, },
"key": { "key": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/registry.json
+83 -7
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"registry": { "registry": {
@@ -12,36 +52,72 @@
"properties": { "properties": {
"bytes": { "bytes": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"strings": { "strings": {
"type": "wildcard" "type": "wildcard"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hive": { "hive": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"key": { "key": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"value": { "value": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/related.json
+62 -4
View File
@@ -4,28 +4,86 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"related": { "related": {
"properties": { "properties": {
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hosts": { "hosts": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ip": { "ip": {
"type": "ip" "type": "ip"
}, },
"user": { "user": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/rule.json
+111 -11
View File
@@ -4,53 +4,153 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"rule": { "rule": {
"properties": { "properties": {
"author": { "author": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"license": { "license": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ruleset": { "ruleset": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uuid": { "uuid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/server.json
+218 -31
View File
@@ -4,13 +4,59 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"server": { "server": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -21,8 +67,9 @@
"properties": { "properties": {
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -37,52 +84,118 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -91,7 +204,13 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -111,30 +230,61 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -144,30 +294,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -175,7 +356,13 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -184,4 +371,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/service.json
+104 -10
View File
@@ -4,53 +4,147 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"service": { "service": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"environment": { "environment": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ephemeral_id": { "ephemeral_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"node": { "node": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/snyk.json
+166 -18
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"snyk": { "snyk": {
@@ -15,11 +55,23 @@
}, },
"org_id": { "org_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -30,7 +82,13 @@
"properties": { "properties": {
"projects": { "projects": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -38,32 +96,68 @@
"properties": { "properties": {
"credit": { "credit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss3": { "cvss3": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"disclosure_time": { "disclosure_time": {
"type": "date" "type": "date"
}, },
"exploit_maturity": { "exploit_maturity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"identifiers": { "identifiers": {
"properties": { "properties": {
"alternative": { "alternative": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cwe": { "cwe": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -90,22 +184,46 @@
}, },
"jira_issue_url": { "jira_issue_url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"language": { "language": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original_severity": { "original_severity": {
"type": "long" "type": "long"
}, },
"package": { "package": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"package_manager": { "package_manager": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"patches": { "patches": {
"type": "flattened" "type": "flattened"
@@ -118,26 +236,56 @@
}, },
"reachability": { "reachability": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"semver": { "semver": {
"type": "flattened" "type": "flattened"
}, },
"title": { "title": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"unique_severities_list": { "unique_severities_list": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/sophos.json
+1006 -138
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/source.json
+218 -31
View File
@@ -4,13 +4,59 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"source": { "source": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -21,8 +67,9 @@
"properties": { "properties": {
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -37,52 +84,118 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -91,7 +204,13 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -111,30 +230,61 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -144,30 +294,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -175,7 +356,13 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -184,4 +371,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/suricata.json
+516 -68
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"suricata": { "suricata": {
@@ -14,118 +54,268 @@
"properties": { "properties": {
"affected_product": { "affected_product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"attack_target": { "attack_target": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"capec_id": { "capec_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classtype": { "classtype": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"created_at": { "created_at": {
"type": "date" "type": "date"
}, },
"cve": { "cve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v2_base": { "cvss_v2_base": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v2_temporal": { "cvss_v2_temporal": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v3_base": { "cvss_v3_base": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v3_temporal": { "cvss_v3_temporal": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cwe_id": { "cwe_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"deployment": { "deployment": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"former_category": { "former_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"gid": { "gid": {
"type": "long" "type": "long"
}, },
"hostile": { "hostile": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"infected": { "infected": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"malware": { "malware": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"metadata": { "metadata": {
"type": "flattened" "type": "flattened"
}, },
"mitre_tool_id": { "mitre_tool_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"performance_impact": { "performance_impact": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"priority": { "priority": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocols": { "protocols": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rev": { "rev": {
"type": "long" "type": "long"
}, },
"rule_source": { "rule_source": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sid": { "sid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature": { "signature": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_id": { "signature_id": {
"type": "long" "type": "long"
}, },
"signature_severity": { "signature_severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tag": { "tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"updated_at": { "updated_at": {
"type": "date" "type": "date"
@@ -134,19 +324,43 @@
}, },
"app_proto_expected": { "app_proto_expected": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"app_proto_orig": { "app_proto_orig": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"app_proto_tc": { "app_proto_tc": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"app_proto_ts": { "app_proto_ts": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dns": { "dns": {
"properties": { "properties": {
@@ -155,19 +369,43 @@
}, },
"rcode": { "rcode": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rdata": { "rdata": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rrname": { "rrname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rrtype": { "rrtype": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ttl": { "ttl": {
"type": "long" "type": "long"
@@ -177,7 +415,13 @@
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -185,13 +429,25 @@
"properties": { "properties": {
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"event_type": { "event_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"fileinfo": { "fileinfo": {
"properties": { "properties": {
@@ -200,19 +456,43 @@
}, },
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"stored": { "stored": {
"type": "boolean" "type": "boolean"
@@ -232,31 +512,67 @@
}, },
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"flow_id": { "flow_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http": { "http": {
"properties": { "properties": {
"http_content_type": { "http_content_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"redirect": { "redirect": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -268,7 +584,13 @@
}, },
"in_iface": { "in_iface": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pcap_cnt": { "pcap_cnt": {
"type": "long" "type": "long"
@@ -277,15 +599,33 @@
"properties": { "properties": {
"helo": { "helo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mail_from": { "mail_from": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rcpt_to": { "rcpt_to": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -295,11 +635,23 @@
"properties": { "properties": {
"proto_version": { "proto_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"software_version": { "software_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -307,11 +659,23 @@
"properties": { "properties": {
"proto_version": { "proto_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"software_version": { "software_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -757,22 +1121,46 @@
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"syn": { "syn": {
"type": "boolean" "type": "boolean"
}, },
"tcp_flags": { "tcp_flags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tcp_flags_tc": { "tcp_flags_tc": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tcp_flags_ts": { "tcp_flags_ts": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -780,21 +1168,45 @@
"properties": { "properties": {
"fingerprint": { "fingerprint": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuerdn": { "issuerdn": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ja3": { "ja3": {
"properties": { "properties": {
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"string": { "string": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -802,11 +1214,23 @@
"properties": { "properties": {
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"string": { "string": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -818,22 +1242,46 @@
}, },
"serial": { "serial": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_resumed": { "session_resumed": {
"type": "boolean" "type": "boolean"
}, },
"sni": { "sni": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
salt/elasticsearch/templates/component/ecs/syslog.json
+54 -2
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"syslog": { "syslog": {
@@ -13,14 +53,26 @@
}, },
"facility_label": { "facility_label": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"priority": { "priority": {
"type": "long" "type": "long"
}, },
"severity_label": { "severity_label": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/ecs/threat.json
+1964 -286
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/tls.json
+482 -64
View File
@@ -4,47 +4,135 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"tls": { "tls": {
"properties": { "properties": {
"cipher": { "cipher": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"client": { "client": {
"properties": { "properties": {
"certificate": { "certificate": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"certificate_chain": { "certificate_chain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hash": { "hash": {
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"issuer": { "issuer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ja3": { "ja3": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"not_after": { "not_after": {
"type": "date" "type": "date"
@@ -54,51 +142,117 @@
}, },
"server_name": { "server_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"supported_ciphers": { "supported_ciphers": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"x509": { "x509": {
"properties": { "properties": {
"alternative_names": { "alternative_names": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuer": { "issuer": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -110,11 +264,23 @@
}, },
"public_key_algorithm": { "public_key_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_curve": { "public_key_curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_exponent": { "public_key_exponent": {
"doc_values": false, "doc_values": false,
@@ -126,47 +292,107 @@
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_algorithm": { "signature_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version_number": { "version_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -174,14 +400,26 @@
}, },
"curve": { "curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"established": { "established": {
"type": "boolean" "type": "boolean"
}, },
"next_protocol": { "next_protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resumed": { "resumed": {
"type": "boolean" "type": "boolean"
@@ -190,35 +428,77 @@
"properties": { "properties": {
"certificate": { "certificate": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"certificate_chain": { "certificate_chain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hash": { "hash": {
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"issuer": { "issuer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ja3s": { "ja3s": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"not_after": { "not_after": {
"type": "date" "type": "date"
@@ -228,43 +508,97 @@
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"x509": { "x509": {
"properties": { "properties": {
"alternative_names": { "alternative_names": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuer": { "issuer": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -276,11 +610,23 @@
}, },
"public_key_algorithm": { "public_key_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_curve": { "public_key_curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_exponent": { "public_key_exponent": {
"doc_values": false, "doc_values": false,
@@ -292,47 +638,107 @@
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_algorithm": { "signature_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version_number": { "version_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -340,15 +746,27 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version_protocol": { "version_protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/tracing.json
+62 -4
View File
@@ -4,13 +4,59 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"span": { "span": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -18,7 +64,13 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -26,11 +78,17 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/url.json
+119 -11
View File
@@ -4,24 +4,86 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"url": { "url": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"extension": { "extension": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"fragment": { "fragment": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -30,6 +92,10 @@
}, },
"original": { "original": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -38,7 +104,13 @@
}, },
"password": { "password": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"type": "wildcard" "type": "wildcard"
@@ -48,31 +120,67 @@
}, },
"query": { "query": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"scheme": { "scheme": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"username": { "username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/user.json
+289 -49
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user": { "user": {
@@ -12,16 +52,29 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -31,30 +84,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -62,28 +146,53 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"effective": { "effective": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -93,30 +202,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -124,18 +264,31 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -145,30 +298,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -176,22 +360,41 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target": { "target": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -201,30 +404,61 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -232,7 +466,13 @@
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -241,4 +481,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/user_agent.json
+106 -15
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user_agent": { "user_agent": {
@@ -12,18 +52,31 @@
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original": { "original": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -33,12 +86,19 @@
"properties": { "properties": {
"family": { "family": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -46,12 +106,19 @@
}, },
"kernel": { "kernel": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -59,25 +126,49 @@
}, },
"platform": { "platform": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/vulnerability.json
+107 -12
View File
@@ -4,22 +4,75 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"vulnerability": { "vulnerability": {
"properties": { "properties": {
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
} }
}, },
"ignore_above": 1024, "ignore_above": 1024,
@@ -27,25 +80,55 @@
}, },
"enumeration": { "enumeration": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"report_id": { "report_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"scanner": { "scanner": {
"properties": { "properties": {
"vendor": { "vendor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -62,17 +145,29 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/winlog.json
+978 -134
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/zeek.json
+2189 -307
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/so/case-mappings.json
+248 -208
View File
@@ -1,213 +1,253 @@
{ {
"template": { "template": {
"mappings": { "settings": {
"properties": { "analysis": {
"so_audit_doc_id": { "analyzer": {
"ignore_above": 1024, "es_security_analyzer": {
"type": "keyword" "type": "custom",
}, "char_filter": [
"so_related": { "whitespace_no_way"
"properties": { ],
"createTime": { "filter": [
"type": "date" "lowercase",
}, "trim"
"caseId": { ],
"ignore_above": 1024, "tokenizer": "keyword"
"type": "keyword" }
}, },
"fields": { "char_filter": {
"eager_global_ordinals": false, "whitespace_no_way": {
"ignore_above": 1024, "type": "pattern_replace",
"index": true, "pattern": "(\\s)+",
"type": "flattened", "replacement": "$1"
"index_options": "docs", }
"split_queries_on_whitespace": false, },
"doc_values": true "filter": {
}, "path_hierarchy_pattern_filter": {
"userId": { "type": "pattern_capture",
"ignore_above": 1024, "preserve_original": true,
"type": "keyword" "patterns": [
} "((?:[^\\\\]*\\\\)*)(.*)",
} "((?:[^/]*/)*)(.*)"
}, ]
"@timestamp": { }
"type": "date" },
}, "tokenizer": {
"so_artifactstream": { "path_tokenizer": {
"properties": { "type": "path_hierarchy",
"createTime": { "delimiter": "\\"
"type": "date" }
}, }
"userId": { }
"ignore_above": 1024, },
"type": "keyword" "mappings": {
}, "properties": {
"content": { "so_audit_doc_id": {
"type": "text" "ignore_above": 1024,
} "type": "keyword"
} },
}, "so_related": {
"so_comment": { "properties": {
"properties": { "createTime": {
"createTime": { "type": "date"
"type": "date" },
}, "caseId": {
"caseId": { "ignore_above": 1024,
"ignore_above": 1024, "type": "keyword"
"type": "keyword" },
}, "fields": {
"description": { "eager_global_ordinals": false,
"type": "text" "ignore_above": 1024,
}, "index": true,
"userId": { "type": "flattened",
"ignore_above": 1024, "index_options": "docs",
"type": "keyword" "split_queries_on_whitespace": false,
} "doc_values": true
} },
}, "userId": {
"so_kind": { "ignore_above": 1024,
"ignore_above": 1024, "type": "keyword"
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
} }
} }
}, },
"_meta": { "@timestamp": {
"ecs_version": "1.12.2" "type": "date"
},
"so_artifactstream": {
"properties": {
"createTime": {
"type": "date"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"type": "text"
}
}
},
"so_comment": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
} }
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
} }
salt/elasticsearch/templates/component/so/case-settings.json
+60 -60
View File
@@ -1,65 +1,65 @@
{ {
"template": { "template": {
"settings": { "settings": {
"index": { "index": {
"routing": { "routing": {
"allocation": { "allocation": {
"require": { "require": {
"box_type": "hot" "box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
} }
} }
}, },
"version": 1, "mapping": {
"_meta": { "total_fields": {
"description": "default settings for common Security Onion Cases indices" "limit": "3000"
} }
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Cases indices"
}
} }
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
+91 -51
View File
@@ -1,56 +1,96 @@
{ {
"template": { "template": {
"mappings": { "settings": {
"dynamic_templates": [ "analysis": {
{ "analyzer": {
"ip_address": { "es_security_analyzer": {
"path_match": "*.ip", "type": "custom",
"mapping": { "char_filter": [
"type": "ip", "whitespace_no_way"
"fields": { ],
"keyword": { "filter": [
"ignore_above": 45, "lowercase",
"type": "keyword" "trim"
} ],
} "tokenizer": "keyword"
}, }
"match_mapping_type": "string" },
} "char_filter": {
}, "whitespace_no_way": {
{ "type": "pattern_replace",
"port": { "pattern": "(\\s)+",
"path_match": "*.port", "replacement": "$1"
"path_unmatch": "*.data.port", }
"mapping": { },
"type": "integer", "filter": {
"fields": { "path_hierarchy_pattern_filter": {
"keyword": { "type": "pattern_capture",
"ignore_above": 6, "preserve_original": true,
"type": "keyword" "patterns": [
} "((?:[^\\\\]*\\\\)*)(.*)",
} "((?:[^/]*/)*)(.*)"
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
] ]
} }
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
} }
}
},
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
]
}
}
} }
salt/elasticsearch/templates/component/so/common-settings.json
+60 -60
View File
@@ -1,65 +1,65 @@
{ {
"template": { "template": {
"settings": { "settings": {
"index": { "index": {
"routing": { "routing": {
"allocation": { "allocation": {
"require": { "require": {
"box_type": "hot" "box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
} }
} }
}, },
"version": 1, "mapping": {
"_meta": { "total_fields": {
"description": "default settings for common Security Onion indices" "limit": "3000"
} }
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion indices"
}
} }
salt/elasticsearch/templates/component/so/dtc-agent-mappings.json
+55 -10
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"agent": { "agent": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -24,8 +65,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -36,8 +78,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -48,8 +91,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -60,8 +104,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-base-mappings.json
+46 -4
View File
@@ -4,13 +4,54 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"message": { "message": {
"type": "match_only_text", "type": "match_only_text",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -21,8 +62,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-dns-mappings.json
+43 -2
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dns": { "dns": {
@@ -14,8 +54,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json
+43 -2
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"ecs": { "ecs": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-event-mappings
-137
View File
@@ -1,137 +0,0 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-event.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
+64 -16
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"event": { "event": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -23,8 +64,9 @@
"created": { "created": {
"type": "date", "type": "date",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -35,8 +77,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -46,8 +89,9 @@
"ingested": { "ingested": {
"type": "date", "type": "date",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -58,8 +102,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -70,8 +115,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -82,8 +128,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -94,8 +141,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
+46 -4
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -24,8 +65,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
+46 -4
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"host": { "host": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -24,8 +65,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-http-mappings.json
+45 -3
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"http": { "http": {
@@ -14,8 +54,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -27,7 +68,8 @@
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "text": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-network-mappings.json
+46 -4
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"network": { "network": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -24,8 +65,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-observer-mappings
-219
View File
@@ -1,219 +0,0 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-observer.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"observer": {
"properties": {
"egress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"ingress": {
"properties": {
"interface": {
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"fields": {
"text": {
"type": "match_only_text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}
salt/elasticsearch/templates/component/so/dtc-observer-mappings.json
+43 -2
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"observer": { "observer": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-process-mappings.json
+43 -2
View File
@@ -4,14 +4,55 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"process": { "process": {
"properties": { "properties": {
"command_line": { "command_line": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-rule-mappings.json
+46 -4
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"rule": { "rule": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -24,8 +65,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-service-mappings.json
+46 -4
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"service": { "service": {
@@ -12,8 +52,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -24,8 +65,9 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-user-mappings.json
+43 -2
View File
@@ -4,14 +4,55 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user": { "user": {
"properties": { "properties": {
"name": { "name": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json
+43 -2
View File
@@ -4,14 +4,55 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user_agent": { "user_agent": {
"properties": { "properties": {
"original": { "original": {
"fields": { "fields": {
"text": { "security": {
"type": "match_only_text" "type": "text",
"analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
salt/elasticsearch/templates/component/so/endgame-mappings.json
+89 -49
View File
@@ -1,53 +1,93 @@
{ {
"template": { "template": {
"mappings": { "settings": {
"properties": { "analysis": {
"endgame": { "analyzer": {
"dynamic": false, "es_security_analyzer": {
"properties": { "type": "custom",
"data": { "char_filter": [
"properties": { "whitespace_no_way"
"malware_classification": { ],
"properties": { "filter": [
"identifier": { "lowercase",
"ignore_above": 1024, "trim"
"type": "keyword" ],
} "tokenizer": "keyword"
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
} }
}, },
"_meta": { "char_filter": {
"ecs_version": "1.12.2" "whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
} }
}
},
"mappings": {
"properties": {
"endgame": {
"dynamic": false,
"properties": {
"data": {
"properties": {
"malware_classification": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
} }
salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json
+40
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"destination": { "destination": {
salt/elasticsearch/templates/component/so/pb-override-source-mappings.json
+40 -1
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"source": { "source": {
@@ -30,4 +70,3 @@
} }
} }
} }
salt/elasticsearch/templates/component/so/so-file-mappings.json
+41 -1
View File
@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
@@ -15,7 +55,7 @@
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }
} }
salt/elasticsearch/templates/component/so/so-rule-mappings.json
+47 -7
View File
@@ -4,15 +4,55 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"rule":{ "rule": {
"properties":{ "properties": {
"score":{ "score": {
"type":"long" "type": "long"
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/so-scan-mappings.json
+58 -18
View File
@@ -4,27 +4,67 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"scan":{ "scan": {
"type":"object", "type": "object",
"properties":{ "properties": {
"exiftool":{ "exiftool": {
"type":"text" "type": "text"
}, },
"pe":{ "pe": {
"properties":{ "properties": {
"sections":{ "sections": {
"properties":{ "properties": {
"entropy":{ "entropy": {
"type": "float" "type": "float"
} }
} }
} }
} }
} }
} }
} }
} }
} }
} }
salt/playbook/init.sls
+1 -8
View File
@@ -109,14 +109,7 @@ so-playbookruleupdatecron:
- user: root - user: root
- minute: '1' - minute: '1'
- hour: '6' - hour: '6'
so-playbookregencron:
cron.present:
- name: /usr/sbin/so-playbook-sigma-refresh > /opt/so/log/playbook/regen.log 2>&1
- user: root
- minute: '55'
- hour: '23'
{% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %} {% if 'idh' in salt['cmd.shell']("ls /opt/so/saltstack/local/pillar/minions/|awk -F'_' {'print $2'}|awk -F'.' {'print $1'}").split() %}
idh-plays: idh-plays:
file.recurse: file.recurse: