CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2022-01-07 13:41:35 -05:00
parent 391db568b0 3c44f6fd41
commit d3656a7777
15 changed files with 564 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
salt/elasticsearch/defaults.yaml
View File

@@ -56,6 +56,12 @@ elasticsearch:
query:
bool:
max_clause_count: 1500
id_field_data:
enabled: false
logger:
org:
elasticsearch:
deprecation: ERROR

2
salt/elasticsearch/files/ingest/ossec
View File

@@ -32,7 +32,7 @@
{ "rename": { "field": "data.win.eventdata.targetFilename", "target_field": "file.target", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata.user", "target_field": "user.name", "ignore_missing": true } },
{ "rename": { "field": "data.win.system", "target_field": "winlog", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata", "target_field": "winlog.event_data", "ignore_missing": true } },
{ "rename": { "field": "data.win.eventdata", "target_field": "winlog.event_data", "ignore_missing": true } },
{ "rename": { "field": "data", "target_field": "wazuh.data", "ignore_missing": true } },
{ "rename": { "field": "winlog.eventID", "target_field": "winlog.event_id", "ignore_missing": true } },
{ "rename": { "field": "predecoder.program_name", "target_field": "process.name", "ignore_missing": true } },

12
salt/elasticsearch/init.sls
View File

@@ -330,13 +330,15 @@ so-elasticsearch-pipelines-file:
ELASTICCURL: {{ ELASTICAUTH.elasticcurl }}
so-elasticsearch-pipelines:
cmd.run:
- name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ grains.host }}
- onchanges:
cmd.run:
- name: /opt/so/conf/elasticsearch/so-elasticsearch-pipelines {{ grains.host }}
- onchanges:
- file: esingestconf
- file: esingestdynamicconf
- file: esyml
- file: so-elasticsearch-pipelines-file
- require:
- docker_container: so-elasticsearch
{% if TEMPLATES %}
so-elasticsearch-templates:
@@ -344,6 +346,8 @@ so-elasticsearch-templates:
- name: /usr/sbin/so-elasticsearch-templates-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
{% endif %}
so-elasticsearch-roles-load:
@@ -351,6 +355,8 @@ so-elasticsearch-roles-load:
- name: /usr/sbin/so-elasticsearch-roles-load
- cwd: /opt/so
- template: jinja
- require:
- docker_container: so-elasticsearch
{% endif %} {# if grains['role'] != 'so-helix' #}

380
salt/elasticsearch/templates/so/so-common-template.json.jinja
View File

@@ -165,10 +165,57 @@
}
}
},
"agent":{
"agent": {
"type":"object",
"dynamic": true
},
"dynamic": true,
"properties": {
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"as":{
"type":"object",
"dynamic": true
@@ -225,17 +272,164 @@
"type":"object",
"dynamic": true
},
"ecs":{
"type":"object",
"dynamic": true
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"error":{
"type":"object",
"dynamic": true
},
"event":{
"type":"object",
"dynamic": true
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"ignore_above": 1024,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword".
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_data":{
"type":"object",
@@ -267,11 +461,97 @@
},
"host":{
"type":"object",
"dynamic": true
"dynamic": true,
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"http":{
"type":"object",
"dynamic": true
"dynamic": true,
"properties": {
"request": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bytes": {
"type": "long"
},
"method": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"referrer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"response": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bytes": {
"type": "long"
},
"status_code": {
"type": "long"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"import":{
"type":"object",
@@ -318,7 +598,18 @@
},
"log":{
"type":"object",
"dynamic": true
"dynamic": true,
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"logscan": {
"type": "object",
@@ -436,7 +727,27 @@
},
"service":{
"type":"object",
"dynamic": true
"dynamic": true,
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"sip":{
"type":"object",
@@ -462,9 +773,20 @@
"type":"object",
"dynamic": true
},
"source":{
"source":{
"type":"object",
"dynamic": true
"dynamic": true,
"properties" : {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"ssh":{
"type":"object",
@@ -478,11 +800,12 @@
"type":"object",
"dynamic": true
},
"tags":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
@@ -508,7 +831,22 @@
},
"user_agent":{
"type":"object",
"dynamic": true
"dynamic": true,
"properties": {
"original": {
"fields": {
"keyword": {
"type": "keyword"
},
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version":{
"type":"object",