From c512351dd6cdbde6239141de16adebe3d90d1155 Mon Sep 17 00:00:00 2001
From: weslambert <wlambertts@gmail.com>
Date: Fri, 14 Jan 2022 17:01:13 -0500
Subject: [PATCH] Add mapping for scan.exiftool and scan.pe.sections.entropy

---
 .../templates/so/so-case-template.json.jinja  | 20 +++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/salt/elasticsearch/templates/so/so-case-template.json.jinja b/salt/elasticsearch/templates/so/so-case-template.json.jinja
index e85367113..d05cc9852 100644
--- a/salt/elasticsearch/templates/so/so-case-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-case-template.json.jinja
@@ -244,6 +244,26 @@
               "message": {
                 "type": "text"
               },
+              "scan":{
+                "type":"object",
+                "dynamic": true,
+                "properties":{
+                  "exiftool":{
+                    "type":"text"
+                   },
+                   "pe":{
+                     "properties":{
+                       "sections":{
+                         "properties":{
+                           "entropy":{
+                             "type": "float"
+                           }
+                         }
+                       }
+                     }
+                   }
+                }
+              },
               "tags": {
                 "type": "keyword",
                 "ignore_above": 1024