From 662db4185738c8827d690fa41878742223012701 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:17:38 +0000 Subject: [PATCH 01/15] Add default packages --- salt/elasticfleet/defaults.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 8c858c711..83261dc17 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -23,3 +23,11 @@ elasticfleet: - stats - stderr - stdout + packages: + - aws + - azure + - cloudflare + - fim + - github + - google_workspace + - 1password From 94fe456e28bea732c7c0ffbb607ab6fa4cf9bafd Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:19:20 +0000 Subject: [PATCH 02/15] Add package functions --- .../tools/sbin/so-elastic-fleet-common | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index e56ee7f0a..73c36e5c8 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -51,6 +51,21 @@ elastic_fleet_integration_update() { curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/package_policies/$UPDATE_ID" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING" } +elastic_fleet_package_version_check() { + PACKAGE=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.version' +} + +elastic_fleet_package_install() { + PKGKEY=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PKGKEY" +} + +elastic_fleet_package_is_installed() { + PACKAGE=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status' +} + elastic_fleet_policy_create() { NAME=$1 From a3c7e40c40bc5a95979009bbaf9e5295038503f5 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:20:05 +0000 Subject: [PATCH 03/15] Add package load command --- .../sbin_jinja/so-elastic-fleet-package-load | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load new file mode 100644 index 000000000..c1e14f64f --- /dev/null +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load @@ -0,0 +1,17 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. +{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %} + +. /usr/sbin/so-elastic-fleet-common + +{%- for PACKAGE in SUPPORTED_PACKAGES %} +echo "Setting up {{ PACKAGE }} package..." +VERSION=$(elastic_fleet_package_version_check "{{ PACKAGE }}") +elastic_fleet_package_install "{{ PACKAGE }}-$VERSION" +echo +{%- endfor %} +echo From 2c42d4b19ef990c1824e08192ec1f45457381f53 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:22:51 +0000 Subject: [PATCH 04/15] Add package check to so-elasticsearch-templates-load --- .../sbin/so-elasticsearch-templates-load | 63 ------------------- 1 file changed, 63 deletions(-) delete mode 100755 salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load deleted file mode 100755 index bce8af1ff..000000000 --- a/salt/elasticsearch/tools/sbin/so-elasticsearch-templates-load +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - -. /usr/sbin/so-common - -default_conf_dir=/opt/so/conf - -# Define a default directory to load pipelines from -ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" - -# Wait for ElasticSearch to initialize -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null --silent --head --fail - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." - fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then - echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" - echo - exit 1 -fi - -set -e - -cd ${ELASTICSEARCH_TEMPLATES}/component/ecs - -echo "Loading ECS component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done - -cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent - -echo "Loading Elastic Agent component templates..." -for i in *; do TEMPLATE=${i::-5}; echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done - -# Load SO-specific component templates -cd ${ELASTICSEARCH_TEMPLATES}/component/so - -echo "Loading Security Onion component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -# Load SO index templates -cd ${ELASTICSEARCH_TEMPLATES}/index - -echo "Loading Security Onion index templates..." -for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -cd - >/dev/null From d8700137d27daf81a707c21c2493a88f2cc50258 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:23:29 +0000 Subject: [PATCH 05/15] Add updated so-elasticsearch-templates-load --- .../so-elasticsearch-templates-load | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100755 salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load new file mode 100755 index 000000000..60e32c12b --- /dev/null +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load @@ -0,0 +1,76 @@ +#!/bin/bash +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. +{%- import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{%- set SUPPORTED_PACKAGES = salt['pillar.get']('elasticfleet:packages', default=ELASTICFLEETDEFAULTS.elasticfleet.packages, merge=True) %} + +. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common + + +default_conf_dir=/opt/so/conf + +# Define a default directory to load pipelines from +ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" + +# Wait for ElasticSearch to initialize +echo -n "Waiting for ElasticSearch..." +COUNT=0 +ELASTICSEARCH_CONNECTED="no" +while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null --silent --head --fail + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi +done +if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 +fi + +SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') +INSTALLED=$(elastic_fleet_package_is_installed {{ SUPPORTED_PACKAGES[0] }} ) +if [ "$INSTALLED" != "installed" ]; then + echo + echo "Packages not yet installed." + echo + exit 0 +fi + +set -e + +cd ${ELASTICSEARCH_TEMPLATES}/component/ecs + +echo "Loading ECS component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done + +cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent + +echo "Loading Elastic Agent component templates..." +for i in *; do TEMPLATE=${i::-5}; echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done + +# Load SO-specific component templates +cd ${ELASTICSEARCH_TEMPLATES}/component/so + +echo "Loading Security Onion component templates..." +for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +echo + +# Load SO index templates +cd ${ELASTICSEARCH_TEMPLATES}/index + +echo "Loading Security Onion index templates..." +for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done +echo + +cd - >/dev/null From e2cca917c195710c9e2416d4c0fda012143aa77a Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:26:06 +0000 Subject: [PATCH 06/15] Add package load command to Fleet setup --- .../elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load | 0 salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup | 2 ++ 2 files changed, 2 insertions(+) mode change 100644 => 100755 salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-package-load old mode 100644 new mode 100755 diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index 94a42a70a..e7b8e115d 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -48,6 +48,8 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl printf "\n\n" ### Create Policies & Associated Integration Configuration ### +# Load packages +/usr/sbin/so-elastic-fleet-package-load # Manager Fleet Server Host elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120" From 5e8748c436d56bc7307ee68cf3e490c4bccb3cb3 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 13:28:01 +0000 Subject: [PATCH 07/15] Load Elasticsearch templates --- salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup index e7b8e115d..c63181a79 100755 --- a/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup @@ -51,6 +51,9 @@ printf "\n\n" # Load packages /usr/sbin/so-elastic-fleet-package-load +# Load Elasticsearch templates +/usr/sbin/so-elasticsearch-templates-load + # Manager Fleet Server Host elastic_fleet_policy_create "FleetServer_{{ GLOBALS.hostname }}" "Fleet Server - {{ GLOBALS.hostname }}" "true" "120" From e995576b1d91dc0fbd9e60a9610d50be60a21078 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 23 Jun 2023 09:41:49 -0400 Subject: [PATCH 08/15] Remove extra templates --- salt/elasticsearch/defaults.yaml | 3235 ------------------------------ 1 file changed, 3235 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index d27f291eb..e6fec1c6b 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -873,440 +873,6 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true - so-aws: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-aws-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - aws-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-azure: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-azure-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - azure-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-barracuda: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-barracuda-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-beats: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-beats-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - - dtc-winlog-mappings - priority: 500 - so-bluecoat: - warm: 7 - close: 30 - delete: 365 - index_sorting: False - index_template: - index_patterns: - - so-bluecoat-* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-case: index_sorting: False index_template: @@ -1336,258 +902,6 @@ elasticsearch: - case-mappings - case-settings priority: 500 - so-cef: - index_sorting: False - index_template: - index_patterns: - - so-cef* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - cef-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-checkpoint: - index_sorting: False - index_template: - index_patterns: - - so-checkpoint* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - checkpoint-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-cisco: - index_sorting: False - index_template: - index_patterns: - - so-cisco* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - cisco-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-common: warm: 7 close: 30 @@ -1678,278 +992,6 @@ elasticsearch: - common-dynamic-mappings - winlog-mappings priority: 1 - so-cyberark: - index_sorting: False - index_template: - index_patterns: - - so-cyberark* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - cyberark-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-cylance: - index_sorting: False - index_template: - index_patterns: - - so-cylance* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-elasticsearch: - index_sorting: False - index_template: - index_patterns: - - logs-elasticsearch-default* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - lifecycle: - name: so-elasticsearch-logs - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - elasticsearch-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} so-endgame: index_sorting: False index_template: @@ -2035,509 +1077,6 @@ elasticsearch: - common-dynamic-mappings - winlog-mappings priority: 500 - so-f5: - index_sorting: False - index_template: - index_patterns: - - so-f5* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-firewall: - index_sorting: False - index_template: - index_patterns: - - so-firewall* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - syslog-mappings - - dtc-syslog-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-flow: - index_sorting: False - index_template: - index_patterns: - - so-flow* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-fortinet: - index_sorting: False - index_template: - index_patterns: - - so-fortinet* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - fortinet-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-gcp: - index_sorting: False - index_template: - index_patterns: - - so-gcp* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - gcp-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-google_workspace: - index_sorting: False - index_template: - index_patterns: - - so-google_workspace* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - google_workspace-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-idh: warm: 7 close: 30 @@ -2724,89 +1263,6 @@ elasticsearch: min_age: 365d actions: delete: {} - so-imperva: - index_sorting: False - index_template: - index_patterns: - - so-imperva* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-import: index_sorting: False index_template: @@ -2913,277 +1369,6 @@ elasticsearch: min_age: 365d actions: delete: {} - so-infoblox: - index_sorting: False - index_template: - index_patterns: - - so-infoblox* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 - so-juniper: - index_sorting: False - index_template: - index_patterns: - - so-juniper* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - juniper-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-kibana: - index_sorting: False - index_template: - index_patterns: - - so-kibana* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - kibana-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - policy: - phases: - hot: - min_age: 0ms - actions: - set_priority: - priority: 100 - rollover: - max_age: 30d - max_primary_shard_size: 50gb - cold: - min_age: 30d - actions: - set_priority: - priority: 0 - delete: - min_age: 365d - actions: - delete: {} so-kratos: warm: 7 close: 30 @@ -3391,843 +1576,6 @@ elasticsearch: min_age: 365d actions: delete: {} - so-microsoft: - index_sorting: False - index_template: - index_patterns: - - so-microsoft* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - microsoft-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-misp: - index_sorting: False - index_template: - index_patterns: - - so-misp* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - misp-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-netflow: - index_sorting: False - index_template: - index_patterns: - - so-netflow* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - netflow-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-netscout: - index_sorting: False - index_template: - index_patterns: - - so-netscout* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-o365: - index_sorting: False - index_template: - index_patterns: - - so-o365* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - o365-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-okta: - index_sorting: False - index_template: - index_patterns: - - so-okta* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - okta-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-osquery: - index_sorting: False - index_template: - index_patterns: - - so-osquery* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 - so-ossec: - index_sorting: False - index_template: - index_patterns: - - so-ossec* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - - winlog-mappings - priority: 500 - so-proofpoint: - index_sorting: False - index_template: - index_patterns: - - so-proofpoint* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-radware: - index_sorting: False - index_template: - index_patterns: - - so-radware* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-redis: index_sorting: False index_template: @@ -4333,423 +1681,6 @@ elasticsearch: min_age: 365d actions: delete: {} - so-snort: - index_sorting: False - index_template: - index_patterns: - - so-snort* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-snyk: - index_sorting: False - index_template: - index_patterns: - - so-snyk* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - snyk-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-sonicwall: - index_sorting: False - index_template: - index_patterns: - - so-sonicwall* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-sophos: - index_sorting: False - index_template: - index_patterns: - - so-sophos* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - sophos-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 - so-squid: - index_sorting: False - index_template: - index_patterns: - - so-squid* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-strelka: index_sorting: False index_template: @@ -4959,89 +1890,6 @@ elasticsearch: min_age: 365d actions: delete: {} - so-tomcat: - index_sorting: False - index_template: - index_patterns: - - so-tomcat* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 so-zeek: index_sorting: False index_template: @@ -5150,86 +1998,3 @@ elasticsearch: min_age: 365d actions: delete: {} - so-zscaler: - index_sorting: False - index_template: - index_patterns: - - so-zscaler* - template: - mappings: - dynamic_templates: - - strings_as_keyword: - mapping: - ignore_above: 1024 - type: keyword - match_mapping_type: string - date_detection: false - settings: - index: - mapping: - total_fields: - limit: 5000 - sort: - field: "@timestamp" - order: desc - refresh_interval: 30s - number_of_shards: 1 - number_of_replicas: 0 - composed_of: - - agent-mappings - - dtc-agent-mappings - - base-mappings - - dtc-base-mappings - - client-mappings - - dtc-client-mappings - - cloud-mappings - - container-mappings - - data_stream-mappings - - destination-mappings - - dtc-destination-mappings - - pb-override-destination-mappings - - dll-mappings - - dns-mappings - - dtc-dns-mappings - - ecs-mappings - - dtc-ecs-mappings - - error-mappings - - event-mappings - - dtc-event-mappings - - file-mappings - - dtc-file-mappings - - group-mappings - - host-mappings - - dtc-host-mappings - - http-mappings - - dtc-http-mappings - - log-mappings - - network-mappings - - dtc-network-mappings - - observer-mappings - - dtc-observer-mappings - - orchestrator-mappings - - organization-mappings - - package-mappings - - process-mappings - - dtc-process-mappings - - registry-mappings - - related-mappings - - rule-mappings - - dtc-rule-mappings - - server-mappings - - service-mappings - - dtc-service-mappings - - source-mappings - - dtc-source-mappings - - pb-override-source-mappings - - threat-mappings - - tls-mappings - - tracing-mappings - - url-mappings - - user_agent-mappings - - dtc-user_agent-mappings - - vulnerability-mappings - - common-settings - - common-dynamic-mappings - priority: 500 From 62fa15c63ed86a5e5bee08d923b67ac801e4ddf3 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 14:43:15 +0000 Subject: [PATCH 09/15] Add more templates --- salt/elasticsearch/defaults.yaml | 792 +++++++++++++++++++++++++++++++ 1 file changed, 792 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e6fec1c6b..5442969e5 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -278,6 +278,798 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false + so-logs-aws.cloudtrail: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.cloudtrail-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.cloudtrail@package" + - "logs-aws.cloudtrail@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.cloudwatch_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.cloudwatch_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.cloudwatch_logs@package" + - "logs-aws.cloudwatch_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.ec2_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.ec2_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.ec2_logs@package" + - "logs-aws.ec2_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.elb_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.elb_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.elb_logs@package" + - "logs-aws.elb_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.firewall_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.firewall_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.firewall_logs@package" + - "logs-aws.firewall_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.route53_public_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.route53_public_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.route53_public_logs@package" + - "logs-aws.route53_public_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.route53.resolver_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.route53.resolver_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.route53.resolver_logs@package" + - "logs-aws.route53.resolver_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.s3access: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.s3access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.s3access@package" + - "logs-aws.s3access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.vpcflow: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.vpcflow-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.vpcflow@package" + - "logs-aws.vpcflow@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-aws.waf: + index_sorting: False + index_template: + index_patterns: + - "logs-aws.waf-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-aws.waf@package" + - "logs-aws.waf@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.activitylogs: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.activitylogs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.activitylogs@package" + - "logs-azure.activitylogs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.application_gateway: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.application_gateway-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.application_gateway@package" + - "logs-azure.application_gateway@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.auditlogs: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.auditlogs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.auditlogs@package" + - "logs-azure.auditlogs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.eventhub: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.eventhub-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.eventhub@package" + - "logs-azure.eventhub@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.firewall_logs: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.firewall_logs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.firewall_logs@package" + - "logs-azure.firewall_logs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.identity_protect: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.identity_protect-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.identity_protect@package" + - "logs-azure.identity_protect@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.platformlogs: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.platformlogs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.platformlogs@package" + - "logs-azure.platformlogs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.provisioning: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.provisioning-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.provisioning@package" + - "logs-azure.provisioning@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.signinlogs: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.signinlogs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.signinlogs@package" + - "logs-azure.signinlogs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-azure.springcloudlogs: + index_sorting: False + index_template: + index_patterns: + - "logs-azure.springcloudlogs-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-azure.springcloudlogs@package" + - "logs-azure.springcloudlogs@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-cloudflare-audit: + index_sorting: False + index_template: + index_patterns: + - "logs-cloudflare-audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cloudflare-audit@package" + - "logs-cloudflare-audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-cloudflare-logpull: + index_sorting: False + index_template: + index_patterns: + - "logs-cloudflare-logpull-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cloudflare-logpull@package" + - "logs-cloudflare-logpull@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-fim.event: + index_sorting: False + index_template: + index_patterns: + - "logs-fim.event-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-fim.event@package" + - "logs-fim.event@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-github.audit: + index_sorting: False + index_template: + index_patterns: + - "logs-github.audit-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-github.audit@package" + - "logs-github.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-github.code_scanning: + index_sorting: False + index_template: + index_patterns: + - "logs-github.code_scanning-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-github.code_scanning@package" + - "logs-github.code_scanning@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-github.dependabot: + index_sorting: False + index_template: + index_patterns: + - "logs-github.dependabot-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-github.dependabot@package" + - "logs-github.dependabot@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-github.issues: + index_sorting: False + index_template: + index_patterns: + - "logs-github.issues-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-github.issues@package" + - "logs-github.issues@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-github.secret_scanning: + index_sorting: False + index_template: + index_patterns: + - "logs-github.secret_scanning-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-github.secret_scanning@package" + - "logs-github.secret_scanning@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace_transparency: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace_transparency-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace_transparency@package" + - "logs-google_workspace_transparency@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.admin: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.admin-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.admin@package" + - "logs-google_workspace.admin@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.alert: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.alert@package" + - "logs-google_workspace.alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.context_aware_access: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.context_aware_access-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.context_aware_access@package" + - "logs-google_workspace.context_aware_access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.device: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.device-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.device@package" + - "logs-google_workspace.device@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.drive: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.drive-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.drive@package" + - "logs-google_workspace.drive@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.gcp: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.gcp-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.gcp@package" + - "logs-google_workspace.gcp@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.group_enterprise: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.group_enterprise-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.group_enterprise@package" + - "logs-google_workspace.group_enterprise@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.groups: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.groups-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.groups@package" + - "logs-google_workspace.groups@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.login: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.login-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.login@package" + - "logs-google_workspace.login@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.rules: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.rules-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.rules@package" + - "logs-google_workspace.rules@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.saml: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.saml-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.saml@package" + - "logs-google_workspace.saml@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.token: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.token-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.token@package" + - "logs-google_workspace.token@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-google_workspace.user_accounts: + index_sorting: False + index_template: + index_patterns: + - "logs-google_workspace.user_accounts-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-google_workspace.user_accounts@package" + - "logs-google_workspace.user_accounts@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-1password.item_usages: + index_sorting: False + index_template: + index_patterns: + - "logs-1password.item_usages-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-1password.item_usages@package" + - "logs-1password.item_usages@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + so-logs-1password.signin_attempts: + index_sorting: False + index_template: + index_patterns: + - "logs-1password.signin_attempts-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-1password.signin_attempts@package" + - "logs-1password.signin_attempts@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false so-logs-osquery-manager-actions: index_sorting: False index_template: From b96d3473f222c4bf6c30194328912cffc1ee85c4 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 23 Jun 2023 18:38:04 +0000 Subject: [PATCH 10/15] Fix indentation --- salt/elasticsearch/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 5442969e5..f53e82de1 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -314,7 +314,7 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.ec2_logs: + so-logs-aws.ec2_logs: index_sorting: False index_template: index_patterns: From ff7db0be6394ba0b0ee623a3154f3aa7086e3422 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 23 Jun 2023 15:31:11 -0400 Subject: [PATCH 11/15] Remove old index settings --- setup/so-functions | 41 +---------------------------------------- 1 file changed, 1 insertion(+), 40 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index ef4e44eaa..72b7d2c2f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1149,46 +1149,7 @@ elasticsearch_pillar() { " indices:"\ " query:"\ " bool:"\ - " max_clause_count: 3500"\ - " index_settings:"\ > $elasticsearch_pillar_file - for INDEX in aws azure barracuda beats bluecoat cef checkpoint cisco cyberark cylance elasticsearch endgame f5 firewall fortinet gcp google_workspace imperva infoblox juniper kibana logstash microsoft misp netflow netscout o365 okta osquery proofpoint radware redis snort snyk sonicwall sophos strelka syslog tomcat zeek zscaler - do - printf '%s\n'\ - " so-$INDEX:"\ - " warm: 7"\ - " close: 30"\ - " delete: 365"\ - " index_sorting: False"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0" >> $elasticsearch_pillar_file - done - for INDEX in import - do - printf '%s\n'\ - " so-$INDEX:"\ - " warm: 7"\ - " close: 73000"\ - " delete: 73001"\ - " index_sorting: False"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " mapping:"\ - " total_fields:"\ - " limit: 5000"\ - " refresh_interval: 30s"\ - " number_of_shards: 1"\ - " number_of_replicas: 0" >> $elasticsearch_pillar_file - done + " max_clause_count: 3500" > $elasticsearch_pillar_file } es_heapsize() { From aa91c1fef2af9725bf01818936b381c1de39b940 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 23 Jun 2023 15:57:30 -0400 Subject: [PATCH 12/15] Add empty object for index_settings --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 72b7d2c2f..8b65d97e3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1149,7 +1149,8 @@ elasticsearch_pillar() { " indices:"\ " query:"\ " bool:"\ - " max_clause_count: 3500" > $elasticsearch_pillar_file + " max_clause_count: 3500"\ + " index_settings: {}" > $elasticsearch_pillar_file } es_heapsize() { From e2ff48164bf30176239b7899c628cec5b9ad162a Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 23 Jun 2023 16:03:58 -0400 Subject: [PATCH 13/15] Only load if so-elastic-fleet-common exists --- .../so-elasticsearch-templates-load | 114 +++++++++--------- 1 file changed, 59 insertions(+), 55 deletions(-) diff --git a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load index 60e32c12b..991f54819 100755 --- a/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load +++ b/salt/elasticsearch/tools/sbin_jinja/so-elasticsearch-templates-load @@ -15,62 +15,66 @@ default_conf_dir=/opt/so/conf # Define a default directory to load pipelines from ELASTICSEARCH_TEMPLATES="$default_conf_dir/elasticsearch/templates/" -# Wait for ElasticSearch to initialize -echo -n "Waiting for ElasticSearch..." -COUNT=0 -ELASTICSEARCH_CONNECTED="no" -while [[ "$COUNT" -le 240 ]]; do - so-elasticsearch-query / -k --output /dev/null --silent --head --fail - if [ $? -eq 0 ]; then - ELASTICSEARCH_CONNECTED="yes" - echo "connected!" - break - else - ((COUNT+=1)) - sleep 1 - echo -n "." +if [ -f /usr/sbin/so-elastic-fleet-common ]; then + # Wait for ElasticSearch to initialize + echo -n "Waiting for ElasticSearch..." + COUNT=0 + ELASTICSEARCH_CONNECTED="no" + while [[ "$COUNT" -le 240 ]]; do + so-elasticsearch-query / -k --output /dev/null --silent --head --fail + if [ $? -eq 0 ]; then + ELASTICSEARCH_CONNECTED="yes" + echo "connected!" + break + else + ((COUNT+=1)) + sleep 1 + echo -n "." + fi + done + if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + echo + echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + echo + exit 1 fi -done -if [ "$ELASTICSEARCH_CONNECTED" == "no" ]; then + + SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') + INSTALLED=$(elastic_fleet_package_is_installed {{ SUPPORTED_PACKAGES[0] }} ) + if [ "$INSTALLED" != "installed" ]; then + echo + echo "Packages not yet installed." + echo + exit 0 + fi + + set -e + + cd ${ELASTICSEARCH_TEMPLATES}/component/ecs + + echo "Loading ECS component templates..." + for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done + + cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent + + echo "Loading Elastic Agent component templates..." + for i in *; do TEMPLATE=${i::-5}; echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done + + # Load SO-specific component templates + cd ${ELASTICSEARCH_TEMPLATES}/component/so + + echo "Loading Security Onion component templates..." + for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done echo - echo -e "Connection attempt timed out. Unable to connect to ElasticSearch. \nPlease try: \n -checking log(s) in /var/log/elasticsearch/\n -running 'sudo docker ps' \n -running 'sudo so-elastic-restart'" + + # Load SO index templates + cd ${ELASTICSEARCH_TEMPLATES}/index + + echo "Loading Security Onion index templates..." + for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done echo - exit 1 +else + echo "Elastic Fleet not configured. Exiting..." + exit 0 fi - -SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') -INSTALLED=$(elastic_fleet_package_is_installed {{ SUPPORTED_PACKAGES[0] }} ) -if [ "$INSTALLED" != "installed" ]; then - echo - echo "Packages not yet installed." - echo - exit 0 -fi - -set -e - -cd ${ELASTICSEARCH_TEMPLATES}/component/ecs - -echo "Loading ECS component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE-mappings"; so-elasticsearch-query _component_template/$TEMPLATE-mappings -d@$i -XPUT 2>/dev/null; echo; done - -cd ${ELASTICSEARCH_TEMPLATES}/component/elastic-agent - -echo "Loading Elastic Agent component templates..." -for i in *; do TEMPLATE=${i::-5}; echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done - -# Load SO-specific component templates -cd ${ELASTICSEARCH_TEMPLATES}/component/so - -echo "Loading Security Onion component templates..." -for i in *; do TEMPLATE=$(echo $i | cut -d '.' -f1); echo "$TEMPLATE"; so-elasticsearch-query _component_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -# Load SO index templates -cd ${ELASTICSEARCH_TEMPLATES}/index - -echo "Loading Security Onion index templates..." -for i in *; do TEMPLATE=${i::-14}; echo "$TEMPLATE"; so-elasticsearch-query _index_template/$TEMPLATE -d@$i -XPUT 2>/dev/null; echo; done -echo - -cd - >/dev/null + cd - >/dev/null From e02bdffe3418c68ab50fc9d7814e9ade7dd8b646 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 23 Jun 2023 16:10:22 -0400 Subject: [PATCH 14/15] Fix typos --- salt/elasticsearch/defaults.yaml | 40 ++++++++++++++++---------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f53e82de1..3f29483e0 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -386,18 +386,18 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-aws.route53.resolver_logs: + so-logs-aws.route53_resolver_logs: index_sorting: False index_template: index_patterns: - - "logs-aws.route53.resolver_logs-*" + - "logs-aws.route53_resolver_logs-*" template: settings: index: number_of_replicas: 0 composed_of: - - "logs-aws.route53.resolver_logs@package" - - "logs-aws.route53.resolver_logs@custom" + - "logs-aws.route53_resolver_logs@package" + - "logs-aws.route53_resolver_logs@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 @@ -548,18 +548,18 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-azure.identity_protect: + so-logs-azure.identity_protection: index_sorting: False index_template: index_patterns: - - "logs-azure.identity_protect-*" + - "logs-azure.identity_protection-*" template: settings: index: number_of_replicas: 0 composed_of: - - "logs-azure.identity_protect@package" - - "logs-azure.identity_protect@custom" + - "logs-azure.identity_protection@package" + - "logs-azure.identity_protection@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 @@ -638,36 +638,36 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-cloudflare-audit: + so-logs-cloudflare.audit: index_sorting: False index_template: index_patterns: - - "logs-cloudflare-audit-*" + - "logs-cloudflare.audit-*" template: settings: index: number_of_replicas: 0 composed_of: - - "logs-cloudflare-audit@package" - - "logs-cloudflare-audit@custom" + - "logs-cloudflare.audit@package" + - "logs-cloudflare.audit@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 data_stream: hidden: false allow_custom_routing: false - so-logs-cloudflare-logpull: + so-logs-cloudflare.logpull: index_sorting: False index_template: index_patterns: - - "logs-cloudflare-logpull-*" + - "logs-cloudflare.logpull-*" template: settings: index: number_of_replicas: 0 composed_of: - - "logs-cloudflare-logpull@package" - - "logs-cloudflare-logpull@custom" + - "logs-cloudflare.logpull@package" + - "logs-cloudflare.logpull@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 @@ -782,18 +782,18 @@ elasticsearch: data_stream: hidden: false allow_custom_routing: false - so-logs-google_workspace_transparency: + so-logs-google_workspace.access_transparency: index_sorting: False index_template: index_patterns: - - "logs-google_workspace_transparency-*" + - "logs-google_workspace.access_transparency-*" template: settings: index: number_of_replicas: 0 composed_of: - - "logs-google_workspace_transparency@package" - - "logs-google_workspace_transparency@custom" + - "logs-google_workspace.access_transparency@package" + - "logs-google_workspace.access_transparency@custom" - "so-fleet_globals-1" - "so-fleet_agent_id_verification-1" priority: 501 From 05b84327b847c296d19f0a2f2090fcfa1e0fe299 Mon Sep 17 00:00:00 2001 From: weslambert Date: Fri, 23 Jun 2023 16:32:57 -0400 Subject: [PATCH 15/15] Fix typo --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 8b65d97e3..baeac99f0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1150,7 +1150,7 @@ elasticsearch_pillar() { " query:"\ " bool:"\ " max_clause_count: 3500"\ - " index_settings: {}" > $elasticsearch_pillar_file + " index_settings: {}" > $elasticsearch_pillar_file } es_heapsize() {