diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index e586100da..6e4ce206b 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -53,6 +53,7 @@ elasticfleet: - citrix_waf - cloudflare - crowdstrike + - cybereason - darktrace - elastic_agent - elasticsearch diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index f0178728e..0a6463f06 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3562,6 +3562,270 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-cybereason_x_logon_session: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.logon_session-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.logon_session@package" + - "logs-cybereason.logon_session@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.logon_session@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_malop_connection: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.malop_connection-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.malop_connection@package" + - "logs-cybereason.malop_connection@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.malop_connection@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_malop_process: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.malop_process-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.malop_process@package" + - "logs-cybereason.malop_process@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.malop_process@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_malware: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.malware-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.malware@package" + - "logs-cybereason.malware@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.malware@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_poll_malop: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.poll_malop-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.poll_malop@package" + - "logs-cybereason.poll_malop@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.poll_malop@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-cybereason_x_suspicions_process: + index_sorting: False + index_template: + index_patterns: + - "logs-cybereason.suspicions_process-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-cybereason.suspicions_process@package" + - "logs-cybereason.suspicions_process@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-cybereason.suspicions_process@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-darktrace_x_ai_analyst_alert: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 266372708..284e4acc2 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -398,6 +398,12 @@ elasticsearch: so-logs-cloudflare_x_logpull: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-cybereason_x_logon_session: *indexSettings + so-logs-cybereason_x_malop_connection: *indexSettings + so-logs-cybereason_x_malop_process: *indexSettings + so-logs-cybereason_x_malware: *indexSettings + so-logs-cybereason_x_poll_malop: *indexSettings + so-logs-cybereason_x_suspicions_process: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.logon_session@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_connection@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malop_process@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.malware@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.poll_malop@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-cybereason.suspicions_process@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +}