CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-26 06:27:50 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/t dev' into kilo

Browse Source
This commit is contained in:
Jason Ertel
2023-07-27 10:20:22 -04:00
parent aa36e9a785 bbaf6df914
commit d3e83d154b
164 changed files with 6408 additions and 29086 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+2 -2
View File
@@ -1,6 +1,6 @@
## Security Onion 2.4 Beta 4 ## Security Onion 2.4 Release Candidate 1 (RC1)
Security Onion 2.4 Beta 4 is here! Security Onion 2.4 Release Candidate 1 (RC1) is here!
## Screenshots ## Screenshots
salt/_modules/needs_restarting.py
+3 -3
View File
@@ -3,14 +3,14 @@ import subprocess
def check(): def check():
os = __grains__['os'] osfam = __grains__['os_family']
retval = 'False' retval = 'False'
if os == 'Ubuntu': if osfam == 'Debian':
if path.exists('/var/run/reboot-required'): if path.exists('/var/run/reboot-required'):
retval = 'True' retval = 'True'
elif os == 'Rocky': elif osfam == 'RedHat':
cmd = 'needs-restarting -r > /dev/null 2>&1' cmd = 'needs-restarting -r > /dev/null 2>&1'
try: try:
salt/common/files/daemon.json
+2 -4
View File
@@ -1,13 +1,11 @@
{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
{ {
"registry-mirrors": [ "registry-mirrors": [
"https://:5000" "https://:5000"
], ],
"bip": "{{ DOCKERBIND }}", "bip": "172.17.0.1/24",
"default-address-pools": [ "default-address-pools": [
{ {
"base": "{{ DOCKERRANGE }}", "base": "172.17.0.0/24",
"size": 24 "size": 24
} }
] ]
salt/common/init.sls
+2 -3
View File
@@ -195,7 +195,7 @@ soversionfile:
{% endif %} {% endif %}
{% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %} {% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
{% if GLOBALS.os == 'Rocky' %} {% if GLOBALS.os == 'OEL' %}
# Install Raid tools # Install Raid tools
raidpkgs: raidpkgs:
pkg.installed: pkg.installed:
@@ -217,8 +217,7 @@ so-raid-status:
- month: '*' - month: '*'
- dayweek: '*' - dayweek: '*'
{% endif %} {% endif %}
{% else %} {% else %}
{{sls}}_state_not_allowed: {{sls}}_state_not_allowed:
salt/common/packages.sls
+39 -20
View File
@@ -1,6 +1,6 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os == 'Ubuntu' %} {% if GLOBALS.os_family == 'Debian' %}
commonpkgs: commonpkgs:
pkg.installed: pkg.installed:
- skip_suggestions: True - skip_suggestions: True
@@ -14,16 +14,24 @@ commonpkgs:
- software-properties-common - software-properties-common
- apt-transport-https - apt-transport-https
- openssl - openssl
- netcat - netcat-openbsd
- sqlite3 - sqlite3
- libssl-dev - libssl-dev
- python3-dateutil - python3-dateutil
- python3-docker
- python3-packaging - python3-packaging
- python3-watchdog - python3-watchdog
- python3-lxml - python3-lxml
- git - git
- rsync
- vim - vim
- tar
- unzip
{% if grains.oscodename != 'focal' %}
- python3-rich
{% endif %}
{% if grains.oscodename == 'focal' %}
# since Ubuntu requires and internet connection we can use pip to install modules # since Ubuntu requires and internet connection we can use pip to install modules
python3-pip: python3-pip:
pkg.installed pkg.installed
@@ -34,34 +42,45 @@ python-rich:
- target: /usr/local/lib/python3.8/dist-packages/ - target: /usr/local/lib/python3.8/dist-packages/
- require: - require:
- pkg: python3-pip - pkg: python3-pip
{% endif %}
{% endif %}
{% elif GLOBALS.os == 'Rocky' %} {% if GLOBALS.os_family == 'RedHat' %}
commonpkgs: commonpkgs:
pkg.installed: pkg.installed:
- skip_suggestions: True - skip_suggestions: True
- pkgs: - pkgs:
- wget
- jq
- tcpdump
- httpd-tools
- net-tools
- curl - curl
- sqlite
- mariadb-devel
- python3-dnf-plugin-versionlock
- nmap-ncat
- yum-utils
- device-mapper-persistent-data - device-mapper-persistent-data
- lvm2 - fuse
- openssl - fuse-libs
- fuse-overlayfs
- fuse-common
- fuse3
- fuse3-libs
- git - git
- httpd-tools
- jq
- lvm2
{% if GLOBALS.os == 'CentOS Stream' %}
- MariaDB-devel
{% else %}
- mariadb-devel
{% endif %}
- net-tools
- nmap-ncat
- openssl
- python3-dnf-plugin-versionlock
- python3-docker - python3-docker
- python3-m2crypto - python3-m2crypto
- rsync
- python3-rich
- python3-pyyaml
- python3-watchdog
- python3-packaging - python3-packaging
- python3-pyyaml
- python3-rich
- python3-watchdog
- rsync
- sqlite
- tcpdump
- unzip - unzip
- wget
- yum-utils
{% endif %} {% endif %}
salt/common/tools/sbin/so-common
+21 -17
View File
@@ -199,19 +199,20 @@ get_random_value() {
} }
gpg_rpm_import() { gpg_rpm_import() {
if [[ "$OS" == "rocky" ]]; then if [[ $is_oracle ]]; then
if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
local RPMKEYSLOC="../salt/repo/client/files/rocky/keys" local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
else else
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys" local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
fi fi
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do
for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY" echo "Imported $RPMKEY"
done done
else
info "Importing the security onion GPG key"
rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
fi fi
} }
@@ -395,19 +396,22 @@ salt_minion_count() {
} }
set_cron_service_name() {
if [[ "$OS" == "rocky" ]]; then
cron_service_name="crond"
else
cron_service_name="cron"
fi
}
set_os() { set_os() {
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
OS=rocky if grep -q "Rocky Linux release 9" /etc/redhat-release; then
OS=rocky
OSVER=9
is_rocky=true
elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
OS=centos
OSVER=9
is_centos=true
fi
cron_service_name="crond"
else else
OS=ubuntu OS=ubuntu
is_ubuntu=true
cron_service_name="cron"
fi fi
} }
@@ -416,7 +420,7 @@ set_minionid() {
} }
set_palette() { set_palette() {
if [ "$OS" == ubuntu ]; then if [[ $is_deb ]]; then
update-alternatives --set newt-palette /etc/newt/palette.original update-alternatives --set newt-palette /etc/newt/palette.original
fi fi
} }
salt/desktop/packages.sls
+638 -213
View File
@@ -1,170 +1,279 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %} {% if GLOBALS.os == 'OEL' %}
desktop_packages: desktop_packages:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
- ModemManager
- ModemManager-glib
- NetworkManager - NetworkManager
- NetworkManager-adsl - NetworkManager-adsl
- NetworkManager-bluetooth - NetworkManager-bluetooth
- NetworkManager-l2tp-gnome - NetworkManager-config-server
- NetworkManager-libreswan-gnome - NetworkManager-libnm
- NetworkManager-openconnect-gnome
- NetworkManager-openvpn-gnome
- NetworkManager-ppp
- NetworkManager-pptp-gnome
- NetworkManager-team - NetworkManager-team
- NetworkManager-tui - NetworkManager-tui
- NetworkManager-wifi - NetworkManager-wifi
- NetworkManager-wwan - NetworkManager-wwan
- PackageKit
- PackageKit-command-not-found
- PackageKit-glib
- PackageKit-gstreamer-plugin - PackageKit-gstreamer-plugin
- aajohan-comfortaa-fonts - PackageKit-gtk3-module
- abattis-cantarell-fonts
- acl
- alsa-ucm
- alsa-utils
- anaconda
- anaconda-install-env-deps
- anaconda-live
- at
- attr
- audit - audit
- audit-libs
- authselect - authselect
- authselect-libs
- avahi
- avahi-glib
- avahi-libs
- baobab
- basesystem - basesystem
- bash
- bash-completion
- bc - bc
- blktrace - bcache-tools
- bluez - bluez
- bluez-libs
- bluez-obexd
- bolt - bolt
- bpftool
- bzip2 - bzip2
- bzip2-libs
- c-ares
- ca-certificates
- cairo
- cairo-gobject
- cairomm
- checkpolicy
- cheese
- cheese-libs
- chkconfig - chkconfig
- chromium - chrome-gnome-shell
- chrony - clutter
- cinnamon - clutter-gst3
- cinnamon-control-center - clutter-gtk
- cinnamon-screensaver - cogl
- cockpit - color-filesystem
- coreutils - colord
- cpio - colord-gtk
- cronie - colord-libs
- crontabs - conmon
- crypto-policies - cups
- crypto-policies-scripts - cups-client
- cryptsetup - cups-filesystem
- curl - cups-filters
- cyrus-sasl-plain - cups-filters-libs
- dbus - cups-ipptool
- cups-libs
- cups-pk-helper
- dconf
- dejavu-sans-fonts - dejavu-sans-fonts
- dejavu-sans-mono-fonts - dejavu-sans-mono-fonts
- dejavu-serif-fonts - dejavu-serif-fonts
- dnf - desktop-file-utils
- dnf-plugins-core - evolution-data-server
- dos2unix - evolution-data-server-langpacks
- dosfstools - firefox
- dracut-config-rescue - flac-libs
- dracut-live - flashrom
- dsniff - flatpak
- e2fsprogs - flatpak-libs
- ed - flatpak-selinux
- efi-filesystem - flatpak-session-helper
- efibootmgr - fontconfig
- efivar-libs - fonts-filesystem
- eom - foomatic
- ethtool - foomatic-db
- f36-backgrounds-extras-gnome - foomatic-db-filesystem
- f36-backgrounds-gnome - foomatic-db-ppds
- f37-backgrounds-extras-gnome - freetype
- f37-backgrounds-gnome - fuse
- file - fuse-common
- filesystem - fuse-libs
- firewall-config - fuse-overlayfs
- firewalld - fuse3
- fprintd-pam - fuse3-libs
- git - fwupd
- glibc - fwupd-plugin-flashrom
- glibc-all-langpacks - gcr
- gcr-base
- gd
- gdbm-libs
- gdisk
- gdk-pixbuf2
- gdk-pixbuf2-modules
- gdm
- gedit
- geoclue2
- geoclue2-libs
- geocode-glib
- gettext
- gettext-libs
- ghostscript
- ghostscript-tools-fonts
- ghostscript-tools-printing
- giflib
- glx-utils
- gmp
- gnome-autoar
- gnome-bluetooth
- gnome-bluetooth-libs
- gnome-calculator - gnome-calculator
- gnome-characters
- gnome-classic-session
- gnome-color-manager
- gnome-control-center
- gnome-control-center-filesystem
- gnome-desktop3
- gnome-disk-utility - gnome-disk-utility
- gnome-font-viewer
- gnome-initial-setup
- gnome-keyring
- gnome-keyring-pam
- gnome-logs
- gnome-menus
- gnome-online-accounts
- gnome-remote-desktop
- gnome-screenshot - gnome-screenshot
- gnome-session
- gnome-session-wayland-session
- gnome-session-xsession
- gnome-settings-daemon
- gnome-shell
- gnome-shell-extension-apps-menu
- gnome-shell-extension-background-logo
- gnome-shell-extension-common
- gnome-shell-extension-desktop-icons
- gnome-shell-extension-launch-new-instance
- gnome-shell-extension-places-menu
- gnome-shell-extension-window-list
- gnome-software
- gnome-system-monitor - gnome-system-monitor
- gnome-terminal - gnome-terminal
- gnupg2 - gnome-terminal-nautilus
- gnome-tour
- gnome-user-docs
- gnome-video-effects
- gobject-introspection
- gom
- google-droid-sans-fonts
- google-noto-cjk-fonts-common
- google-noto-emoji-color-fonts - google-noto-emoji-color-fonts
- google-noto-fonts-common
- google-noto-sans-cjk-ttc-fonts - google-noto-sans-cjk-ttc-fonts
- google-noto-sans-gurmukhi-fonts - google-noto-sans-gurmukhi-fonts
- google-noto-sans-sinhala-vf-fonts - google-noto-sans-sinhala-vf-fonts
- google-noto-serif-cjk-ttc-fonts - google-noto-serif-cjk-ttc-fonts
- grub2-common - gpgme
- grub2-pc-modules - gpm-libs
- grub2-tools - graphene
- grub2-tools-efi - graphite2
- grub2-tools-extra - gsettings-desktop-schemas
- grub2-tools-minimal - gsm
- grubby - gsound
- gspell
- gstreamer1
- gstreamer1-plugins-bad-free - gstreamer1-plugins-bad-free
- gstreamer1-plugins-base
- gstreamer1-plugins-good - gstreamer1-plugins-good
- gstreamer1-plugins-good-gtk
- gstreamer1-plugins-ugly-free - gstreamer1-plugins-ugly-free
- gtk-update-icon-cache
- gtk3
- gtk4
- gtkmm30
- gtksourceview4
- gutenprint
- gutenprint-cups
- gutenprint-doc
- gutenprint-libs
- gvfs
- gvfs-client
- gvfs-fuse
- gvfs-goa
- gvfs-gphoto2 - gvfs-gphoto2
- gvfs-mtp - gvfs-mtp
- gvfs-smb - gvfs-smb
- hostname - gzip
- hyperv-daemons - harfbuzz
- ibus-anthy - harfbuzz-icu
- ibus-hangul - hdparm
- ibus-libpinyin - hicolor-icon-theme
- ibus-libzhuyin - highcontrast-icon-theme
- ibus-m17n - hplip-common
- ibus-typing-booster - hplip-libs
- imsettings-systemd - hunspell
- initial-setup-gui - hunspell-en
- initscripts - hunspell-en-GB
- hunspell-en-US
- hunspell-filesystem
- hyphen
- ibus
- ibus-gtk3
- ibus-libs
- ibus-setup
- iio-sensor-proxy
- ima-evm-utils
- inih
- initscripts-rename-device - initscripts-rename-device
- iproute - initscripts-service
- iproute-tc - iso-codes
- iprutils - jansson
- iputils - jbig2dec-libs
- irqbalance - jbigkit-libs
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000g2a-firmware
- iwl6000g2b-firmware
- iwl6050-firmware
- iwl7260-firmware
- jomolhari-fonts - jomolhari-fonts
- jose
- jq
- json-c
- json-glib
- julietaula-montserrat-fonts - julietaula-montserrat-fonts
- kbd - kbd
- kernel - kbd-misc
- kernel-modules
- kernel-modules-extra
- kernel-tools
- kexec-tools
- khmer-os-system-fonts - khmer-os-system-fonts
- kmod-kvdo - langpacks-core-en
- kpatch - langpacks-core-font-en
- kpatch-dnf - langpacks-en
- ledmon - lcms2
- less - libICE
- libSM
- libX11
- libX11-common
- libX11-xcb
- libXau
- libXcomposite
- libXcursor
- libXdamage
- libXdmcp
- libXext
- libXfixes
- libXfont2
- libXft
- libXi
- libXinerama
- libXmu
- libXpm
- libXrandr
- libXrender
- libXres
- libXt
- libXtst
- libXv
- libXxf86dga
- libXxf86vm
- libappstream-glib
- liberation-fonts-common
- liberation-mono-fonts - liberation-mono-fonts
- liberation-sans-fonts - liberation-sans-fonts
- liberation-serif-fonts - liberation-serif-fonts
- libertas-sd8787-firmware - libertas-sd8787-firmware
- libstoragemgmt - libglvnd-gles
- libsysfs - libglvnd-glx
- lightdm - libglvnd-opengl
- linux-firmware - libgnomekbd
- logrotate - libgomp
- libgphoto2
- lockdev
- lohit-assamese-fonts - lohit-assamese-fonts
- lohit-bengali-fonts - lohit-bengali-fonts
- lohit-devanagari-fonts - lohit-devanagari-fonts
@@ -173,138 +282,454 @@ desktop_packages:
- lohit-odia-fonts - lohit-odia-fonts
- lohit-tamil-fonts - lohit-tamil-fonts
- lohit-telugu-fonts - lohit-telugu-fonts
- lshw - mesa-dri-drivers
- lsof - mesa-filesystem
- lsscsi - mesa-libEGL
- lvm2 - mesa-libGL
- mailcap - mesa-libgbm
- man-db - mesa-libglapi
- man-pages - mesa-libxatracker
- mcelog - mesa-vulkan-drivers
- mdadm
- memtest86+
- metacity
- microcode_ctl - microcode_ctl
- mlocate - mobile-broadband-provider-info
- mozilla-filesystem
- mpfr
- mpg123-libs
- mtdev
- mtr - mtr
- nano - nautilus
- ncurses - nautilus-extensions
- nemo-fileroller - oracle-backgrounds
- nemo-image-converter - oracle-indexhtml
- nemo-preview - oracle-logos
- net-tools - pcaudiolib
- netronome-firmware - pinentry
- ngrep - pinentry-gnome3
- nm-connection-editor
- nmap-ncat
- nvme-cli
- open-vm-tools-desktop
- openssh-clients
- openssh-server
- p11-kit
- paktype-naskh-basic-fonts
- parole
- parted
- passwd
- pciutils
- pinfo - pinfo
- pipewire - pipewire
- pipewire-alsa - pipewire-alsa
- pipewire-gstreamer - pipewire-gstreamer
- pipewire-jack-audio-connection-kit - pipewire-jack-audio-connection-kit
- pipewire-libs
- pipewire-pulseaudio - pipewire-pulseaudio
- pipewire-utils - pipewire-utils
- pixman
- plymouth - plymouth
- plymouth-core-libs
- plymouth-graphics-libs
- plymouth-plugin-label
- plymouth-plugin-two-step
- plymouth-scripts
- plymouth-system-theme
- plymouth-theme-spinner
- policycoreutils - policycoreutils
- powerline - policycoreutils-python-utils
- ppp
- prefixdevname
- procps-ng
- psacct
- pt-sans-fonts - pt-sans-fonts
- python3-libselinux - pulseaudio-libs
- python3-scapy - pulseaudio-libs-glib2
- qemu-guest-agent - pulseaudio-utils
- quota - sane-airscan
- realmd - sane-backends
- redshift-gtk - sane-backends-drivers-cameras
- rocky-backgrounds
- rocky-release
- rootfiles
- rpm
- rpm-plugin-audit
- rsync
- rsyslog
- rsyslog-gnutls
- rsyslog-gssapi
- rsyslog-relp
- salt-minion
- sane-backends-drivers-scanners - sane-backends-drivers-scanners
- selinux-policy-targeted - sane-backends-libs
- setroubleshoot
- setup
- sg3_utils
- sg3_utils-libs
- shadow-utils
- sil-abyssinica-fonts - sil-abyssinica-fonts
- sil-nuosu-fonts - sil-nuosu-fonts
- sil-padauk-fonts - sil-padauk-fonts
- slick-greeter
- slick-greeter-cinnamon
- smartmontools - smartmontools
- smc-meera-fonts - smc-meera-fonts
- sos - snappy
- sound-theme-freedesktop
- soundtouch
- speech-dispatcher
- speech-dispatcher-espeak-ng
- speex
- spice-vdagent - spice-vdagent
- ssldump - switcheroo-control
- sssd
- sssd-common
- sssd-kcm
- stix-fonts
- strace
- sudo
- symlinks - symlinks
- syslinux - system-config-printer-libs
- systemd - system-config-printer-udev
- systemd-udev - taglib
- tar
- tcpdump - tcpdump
- tcpflow - thai-scalable-fonts-common
- teamd
- thai-scalable-waree-fonts - thai-scalable-waree-fonts
- time - totem
- tmux - totem-pl-parser
- tmux-powerline - totem-video-thumbnailer
- transmission - tpm2-tools
- tpm2-tss
- tracer-common
- tracker
- tracker-miners
- tree - tree
- tuned - tuned
- twolame-libs
- tzdata
- udisks2
- udisks2-iscsi
- udisks2-lvm2
- unzip - unzip
- upower
- urw-base35-bookman-fonts
- urw-base35-c059-fonts
- urw-base35-d050000l-fonts
- urw-base35-fonts
- urw-base35-fonts-common
- urw-base35-gothic-fonts
- urw-base35-nimbus-mono-ps-fonts
- urw-base35-nimbus-roman-fonts
- urw-base35-nimbus-sans-fonts
- urw-base35-p052-fonts
- urw-base35-standard-symbols-ps-fonts
- urw-base35-z003-fonts
- usb_modeswitch - usb_modeswitch
- usb_modeswitch-data
- usbutils - usbutils
- util-linux - usermode
- util-linux-user - userspace-rcu
- vdo - vdo
- vim-enhanced - vulkan-loader
- vim-minimal - wavpack
- vim-powerline - webkit2gtk3
- virt-what - webkit2gtk3-jsc
- wget - webrtc-audio-processing
- whois - wireless-regdb
- which
- wireplumber - wireplumber
- wireshark - wireplumber-libs
- woff2
- words - words
- wpa_supplicant
- wpebackend-fdo
- xdg-dbus-proxy
- xdg-desktop-portal
- xdg-desktop-portal-gnome
- xdg-desktop-portal-gtk
- xdg-user-dirs
- xdg-user-dirs-gtk - xdg-user-dirs-gtk
- xed - xdg-utils
- xfsdump - xkeyboard-config
- xfsprogs - xorg-x11-drv-evdev
- xreader - xorg-x11-drv-fbdev
- yum - xorg-x11-drv-libinput
- zip - xorg-x11-drv-vmware
- xorg-x11-drv-wacom
- xorg-x11-drv-wacom-serial-support
- xorg-x11-server-Xorg
- xorg-x11-server-Xwayland
- xorg-x11-server-common
- xorg-x11-server-utils
- xorg-x11-utils
- xorg-x11-xauth
- xorg-x11-xinit
- xorg-x11-xinit-session
#
# - aajohan-comfortaa-fonts
# - abattis-cantarell-fonts
# - acl
# - alsa-ucm
# - alsa-utils
# - anaconda
# - anaconda-install-env-deps
# - at
# - attr
# - audit
# - authselect
# - basesystem
# - bash
# - bash-completion
# - bc
# - blktrace
# - bluez
# - bolt
# - bpftool
# - bzip2
# - chkconfig
# - chromium
# - chrony
# - cockpit
# - coreutils
# - cpio
# - cronie
# - crontabs
# - crypto-policies
# - crypto-policies-scripts
# - cryptsetup
# - curl
# - cyrus-sasl-plain
# - dbus
# - dejavu-sans-fonts
# - dejavu-sans-mono-fonts
# - dejavu-serif-fonts
# - dnf
# - dnf-plugins-core
# - dos2unix
# - dosfstools
# - dracut-config-rescue
# - dracut-live
# - dsniff
# - e2fsprogs
# - ed
# - efibootmgr
# - efi-filesystem
# - efivar-libs
# - eom
# - ethtool
# - file
# - filesystem
# - firewall-config
# - firewalld
# - fprintd-pam
# - gdm
# - git
# - glibc
# - glibc-all-langpacks
# - gnome-autoar
# - gnome-bluetooth
# - gnome-bluetooth-libs
# - gnome-calculator
# - gnome-characters
# - gnome-color-manager
# - gnome-control-center
# - gnome-desktop3
# - gnome-disk-utility
# - gnome-font-viewer
# - gnome-initial-setup
# - gnome-keyring
# - gnome-keyring-pam
# - gnome-logs
# - gnome-menus
# - gnome-online-accounts
# - gnome-remote-desktop
# - gnome-screenshot
# - gnome-session
# - gnome-session-wayland-session
# - gnome-session-xsession
# - gnome-settings-daemon
# - gnome-shell
# - gnome-software
# - gnome-system-monitor
# - gnome-terminal
# - gnome-terminal-nautilus
# - gnome-tour
# - gnupg2
# - google-noto-emoji-color-fonts
# - google-noto-sans-cjk-ttc-fonts
# - google-noto-sans-gurmukhi-fonts
# - google-noto-sans-sinhala-vf-fonts
# - google-noto-serif-cjk-ttc-fonts
# - grub2-common
# - grub2-pc-modules
# - grub2-tools
# - grub2-tools-efi
# - grub2-tools-extra
# - grub2-tools-minimal
# - grubby
# - gstreamer1-plugins-bad-free
# - gstreamer1-plugins-good
# - gstreamer1-plugins-ugly-free
# - gvfs-gphoto2
# - gvfs-mtp
# - gvfs-smb
# - hostname
# - hyperv-daemons
# - ibus-anthy
# - ibus-hangul
# - ibus-libpinyin
# - ibus-libzhuyin
# - ibus-m17n
# - ibus-typing-booster
# - imsettings-systemd
# - initial-setup-gui
# - initscripts
# - initscripts-rename-device
# - iproute
# - iproute-tc
# - iprutils
# - iputils
# - irqbalance
# - iwl1000-firmware
# - iwl100-firmware
# - iwl105-firmware
# - iwl135-firmware
# - iwl2000-firmware
# - iwl2030-firmware
# - iwl3160-firmware
# - iwl5000-firmware
# - iwl5150-firmware
# - iwl6000g2a-firmware
# - iwl6000g2b-firmware
# - iwl6050-firmware
# - iwl7260-firmware
# - jomolhari-fonts
# - julietaula-montserrat-fonts
# - kbd
# - kernel
# - kernel-modules
# - kernel-modules-extra
# - kernel-tools
# - kexec-tools
# - khmer-os-system-fonts
# - kmod-kvdo
# - ledmon
# - less
# - liberation-mono-fonts
# - liberation-sans-fonts
# - liberation-serif-fonts
# - libertas-sd8787-firmware
# - libstoragemgmt
# - libsysfs
# - lightdm
# - linux-firmware
# - logrotate
# - lohit-assamese-fonts
# - lohit-bengali-fonts
# - lohit-devanagari-fonts
# - lohit-gujarati-fonts
# - lohit-kannada-fonts
# - lohit-odia-fonts
# - lohit-tamil-fonts
# - lohit-telugu-fonts
# - lshw
# - lsof
# - lsscsi
# - lvm2
# - mailcap
# - man-db
# - man-pages
# - mcelog
# - mdadm
# - memtest86+
# - metacity
# - microcode_ctl
# - mlocate
# - mtr
# - nano
# - ncurses
# - netronome-firmware
# - net-tools
# - NetworkManager
# - NetworkManager-adsl
# - NetworkManager-bluetooth
# - NetworkManager-l2tp-gnome
# - NetworkManager-libreswan-gnome
# - NetworkManager-openconnect-gnome
# - NetworkManager-openvpn-gnome
# - NetworkManager-ppp
# - NetworkManager-pptp-gnome
# - NetworkManager-team
# - NetworkManager-tui
# - NetworkManager-wifi
# - NetworkManager-wwan
# - ngrep
# - nmap-ncat
# - nm-connection-editor
# - nvme-cli
# - openssh-clients
# - openssh-server
# - open-vm-tools-desktop
# - p11-kit
# - PackageKit-gstreamer-plugin
# - paktype-naskh-basic-fonts
# - parole
# - parted
# - passwd
# - pciutils
# - pinfo
# - pipewire
# - pipewire-alsa
# - pipewire-gstreamer
# - pipewire-jack-audio-connection-kit
# - pipewire-pulseaudio
# - pipewire-utils
# - plymouth
# - policycoreutils
# - powerline
# - ppp
# - prefixdevname
# - procps-ng
# - psacct
# - pt-sans-fonts
# - python3-libselinux
# - python3-scapy
# - qemu-guest-agent
# - quota
# - realmd
# - redshift-gtk
# - rootfiles
# - rpm
# - rpm-plugin-audit
# - rsync
# - rsyslog
# - rsyslog-gnutls
# - rsyslog-gssapi
# - rsyslog-relp
# - salt-minion
# - sane-backends-drivers-scanners
# - selinux-policy-targeted
# - setroubleshoot
# - setup
# - sg3_utils
# - sg3_utils-libs
# - shadow-utils
# - sil-abyssinica-fonts
# - sil-nuosu-fonts
# - sil-padauk-fonts
# - slick-greeter
# - slick-greeter-cinnamon
# - smartmontools
# - smc-meera-fonts
# - sos
# - spice-vdagent
# - ssldump
# - sssd
# - sssd-common
# - sssd-kcm
# - stix-fonts
# - strace
# - sudo
# - symlinks
# - syslinux
# - systemd
# - systemd-udev
# - tar
# - tcpdump
# - tcpflow
# - teamd
# - thai-scalable-waree-fonts
# - time
# - tmux
# - tmux-powerline
# - transmission
# - tree
# - tuned
# - unzip
# - usb_modeswitch
# - usbutils
# - util-linux
# - util-linux-user
# - vdo
# - vim-enhanced
# - vim-minimal
# - vim-powerline
# - virt-what
# - wget
# - which
# - whois
# - wireplumber
# - wireshark
# - words
# - xdg-user-dirs-gtk
# - xed
# - xfsdump
# - xfsprogs
# - xreader
# - yum
# - zip
#
{% else %} {% else %}
desktop_packages_os_fail: desktop_packages_os_fail:
test.fail_without_changes: test.fail_without_changes:
- comment: 'SO desktop can only be installed on Rocky' - comment: 'SO desktop can only be installed on Oracle Linux'
{% endif %} {% endif %}
salt/desktop/remove_gui.sls
+2 -2
View File
@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %} {% if GLOBALS.os == 'OEL' %}
remove_graphical_target: remove_graphical_target:
file.symlink: file.symlink:
@@ -12,6 +12,6 @@ remove_graphical_target:
{% else %} {% else %}
desktop_trusted-ca_os_fail: desktop_trusted-ca_os_fail:
test.fail_without_changes: test.fail_without_changes:
- comment: 'SO Desktop can only be installed on Rocky' - comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %} {% endif %}
salt/desktop/trusted-ca.sls
+1 -1
View File
@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %} {% if GLOBALS.os == 'OEL' %}
{% set global_ca_text = [] %} {% set global_ca_text = [] %}
{% set global_ca_server = [] %} {% set global_ca_server = [] %}
salt/desktop/xwindows.sls
+2 -2
View File
@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #} {# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %} {% if GLOBALS.os == 'OEL' %}
include: include:
- desktop.packages - desktop.packages
@@ -18,6 +18,6 @@ graphical_target:
desktop_xwindows_os_fail: desktop_xwindows_os_fail:
test.fail_without_changes: test.fail_without_changes:
- comment: 'SO Desktop can only be installed on Rocky' - comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %} {% endif %}
salt/docker/defaults.yaml
+3 -5
View File
@@ -1,8 +1,6 @@
docker: docker:
bip: '172.17.0.1' range: '172.17.1.0/24'
range: '172.17.0.0/24' gateway: '172.17.1.1'
sorange: '172.17.1.0/24'
sobip: '172.17.1.1'
containers: containers:
'so-dockerregistry': 'so-dockerregistry':
final_octet: 20 final_octet: 20
@@ -202,4 +200,4 @@ docker:
final_octet: 99 final_octet: 99
custom_bind_mounts: [] custom_bind_mounts: []
extra_hosts: [] extra_hosts: []
extra_env: [] extra_env: []
salt/docker/docker.map.jinja
+1 -1
View File
@@ -1,6 +1,6 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %} {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %} {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKER.sorange.split('.') %} {% set RANGESPLIT = DOCKER.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %} {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKER.containers.items() %} {% for container, vals in DOCKER.containers.items() %}
salt/docker/init.sls
+28 -6
View File
@@ -12,7 +12,28 @@ dockergroup:
- name: docker - name: docker
- gid: 920 - gid: 920
{% if GLOBALS.os == 'Ubuntu' %} {% if GLOBALS.os_family == 'Debian' %}
{% if grains.oscodename == 'bookworm' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.6.21-1
- docker-ce: 5:24.0.3-1~debian.12~bookworm
- docker-ce-cli: 5:24.0.3-1~debian.12~bookworm
- docker-ce-rootless-extras: 5:24.0.3-1~debian.12~bookworm
- hold: True
- update_holds: True
{% elif grains.oscodename == 'jammy' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.6.21-1
- docker-ce: 5:24.0.2-1~ubuntu.22.04~jammy
- docker-ce-cli: 5:24.0.2-1~ubuntu.22.04~jammy
- docker-ce-rootless-extras: 5:24.0.2-1~ubuntu.22.04~jammy
- hold: True
- update_holds: True
{% else %}
dockerheldpackages: dockerheldpackages:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
@@ -22,14 +43,15 @@ dockerheldpackages:
- docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
- hold: True - hold: True
- update_holds: True - update_holds: True
{% endif %}
{% else %} {% else %}
dockerheldpackages: dockerheldpackages:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
- containerd.io: 1.6.21-3.1.el9 - containerd.io: 1.6.21-3.1.el9
- docker-ce: 24.0.2-1.el9 - docker-ce: 24.0.4-1.el9
- docker-ce-cli: 24.0.2-1.el9 - docker-ce-cli: 24.0.4-1.el9
- docker-ce-rootless-extras: 24.0.2-1.el9 - docker-ce-rootless-extras: 24.0.4-1.el9
- hold: True - hold: True
- update_holds: True - update_holds: True
{% endif %} {% endif %}
@@ -80,8 +102,8 @@ dockerreserveports:
sos_docker_net: sos_docker_net:
docker_network.present: docker_network.present:
- name: sobridge - name: sobridge
- subnet: {{ DOCKER.sorange }} - subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.sobip }} - gateway: {{ DOCKER.gateway }}
- options: - options:
com.docker.network.bridge.name: 'sobridge' com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500' com.docker.network.driver.mtu: '1500'
salt/docker/soc_docker.yaml
+3 -11
View File
@@ -1,20 +1,12 @@
docker: docker:
bip: gateway:
description: Bind IP for the default docker interface. description: Gateway for the default docker interface.
helpLink: docker.html helpLink: docker.html
advanced: True advanced: True
range: range:
description: Default docker IP range for containers. description: Default docker IP range for containers.
helpLink: docker.html helpLink: docker.html
advanced: True advanced: True
sobip:
description: Bind IP for the SO docker interface.
helpLink: docker.html
advanced: True
sorange:
description: IP range for the SO docker containers.
helpLink: docker.html
advanced: True
containers: containers:
so-curator: &dockerOptions so-curator: &dockerOptions
final_octet: final_octet:
@@ -68,4 +60,4 @@ docker:
so-strelka-filestream: *dockerOptions so-strelka-filestream: *dockerOptions
so-strelka-frontend: *dockerOptions so-strelka-frontend: *dockerOptions
so-strelka-gatekeeper: *dockerOptions so-strelka-gatekeeper: *dockerOptions
so-strelka-manager: *dockerOptions so-strelka-manager: *dockerOptions
salt/elasticagent/enabled.sls
+5 -2
View File
@@ -33,19 +33,22 @@ so-elastic-agent:
{% endif %} {% endif %}
- binds: - binds:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro - /nsm:/nsm:ro
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
- environment: - environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
{% endfor %} {% endfor %}
{% endif %} {% endif %}
- watch:
- file: create-elastic-agent-config
delete_so-elastic-agent_so-status.disabled: delete_so-elastic-agent_so-status.disabled:
file.uncomment: file.uncomment:
salt/elasticagent/files/elastic-agent.yml.jinja
+1 -1
View File
@@ -11,7 +11,7 @@ outputs:
- 'https://{{ GLOBALS.hostname }}:9200' - 'https://{{ GLOBALS.hostname }}:9200'
username: '{{ ES_USER }}' username: '{{ ES_USER }}'
password: '{{ ES_PASS }}' password: '{{ ES_PASS }}'
ssl.verification_mode: none ssl.verification_mode: full
output_permissions: {} output_permissions: {}
agent: agent:
download: download:
salt/elasticfleet/config.sls
+7
View File
@@ -45,6 +45,13 @@ eaconfdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
ealogdir:
file.directory:
- name: /opt/so/log/elasticfleet
- user: 947
- group: 939
- makedirs: True
eastatedir: eastatedir:
file.directory: file.directory:
- name: /opt/so/conf/elastic-fleet/state - name: /opt/so/conf/elastic-fleet/state
salt/elasticfleet/defaults.yaml
+1
View File
@@ -28,6 +28,7 @@ elasticfleet:
- aws - aws
- azure - azure
- cloudflare - cloudflare
- endpoint
- fim - fim
- github - github
- google_workspace - google_workspace
salt/elasticfleet/enabled.sls
+12 -2
View File
@@ -62,7 +62,11 @@ so-elastic-fleet:
{% endfor %} {% endfor %}
- binds: - binds:
- /etc/pki:/etc/pki:ro - /etc/pki:/etc/pki:ro
{% if GLOBALS.os_family == 'Debian' %}
- /etc/ssl:/etc/ssl:ro
{% endif %}
#- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %} {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }} - {{ BIND }}
@@ -70,14 +74,20 @@ so-elastic-fleet:
{% endif %} {% endif %}
- environment: - environment:
- FLEET_SERVER_ENABLE=true - FLEET_SERVER_ENABLE=true
- FLEET_URL=https://{{ GLOBALS.node_ip }}:8220 - FLEET_URL=https://{{ GLOBALS.hostname }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200 - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
- FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }} - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
- FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }} - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
{% if GLOBALS.os_family == 'Debian' %}
- FLEET_CA=/etc/ssl/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
{% else %}
- FLEET_CA=/etc/pki/tls/certs/intca.crt - FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
{% endif %}
- LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-fleet'].extra_env %} {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %} {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }} - {{ XTRAENV }}
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
+10 -4
View File
@@ -6,6 +6,12 @@
# this file except in compliance with the Elastic License 2.0. # this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os_family == 'Debian' %}
INTCA=/etc/ssl/certs/intca.crt
{% else %}
INTCA=/etc/pki/tls/certs/intca.crt
{% endif %}
. /usr/sbin/so-elastic-fleet-common . /usr/sbin/so-elastic-fleet-common
printf "\n### Create ES Token ###\n" printf "\n### Create ES Token ###\n"
@@ -13,7 +19,7 @@ ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5
### Create Outputs & Fleet URLs ### ### Create Outputs & Fleet URLs ###
printf "\nAdd Manager Elasticsearch Output...\n" printf "\nAdd Manager Elasticsearch Output...\n"
ESCACRT=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) ESCACRT=$(openssl x509 -in $INTCA)
JSON_STRING=$( jq -n \ JSON_STRING=$( jq -n \
--arg ESCACRT "$ESCACRT" \ --arg ESCACRT "$ESCACRT" \
'{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' ) '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
@@ -22,9 +28,9 @@ printf "\n\n"
printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n" printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n"
{% if grains.role not in ['so-import', 'so-eval'] %} {% if grains.role not in ['so-import', 'so-eval'] %}
LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-agent.crt) LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-agent.key) LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key)
LOGSTASHCA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt) LOGSTASHCA=$(openssl x509 -in $INTCA)
JSON_STRING=$( jq -n \ JSON_STRING=$( jq -n \
--arg LOGSTASHCRT "$LOGSTASHCRT" \ --arg LOGSTASHCRT "$LOGSTASHCRT" \
--arg LOGSTASHKEY "$LOGSTASHKEY" \ --arg LOGSTASHKEY "$LOGSTASHKEY" \
salt/elasticsearch/defaults.yaml
+394
View File
@@ -81,6 +81,8 @@ elasticsearch:
managed: true managed: true
composed_of: composed_of:
- "so-data-streams-mappings" - "so-data-streams-mappings"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
- "so-logs-mappings" - "so-logs-mappings"
- "so-logs-settings" - "so-logs-settings"
priority: 225 priority: 225
@@ -1312,6 +1314,398 @@ elasticsearch:
name: elastic_agent name: elastic_agent
managed_by: security_onion managed_by: security_onion
managed: true managed: true
so-logs-endpoint.alerts:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.alerts-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.alerts@custom"
- "logs-endpoint.alerts@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.api:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.api-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.api@custom"
- "logs-endpoint.events.api@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.file:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.file-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.file@custom"
- "logs-endpoint.events.file@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.library:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.library-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.library@custom"
- "logs-endpoint.events.library@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.network:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.network-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.network@custom"
- "logs-endpoint.events.network@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.process:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.process-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.process@custom"
- "logs-endpoint.events.process@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.registry:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.registry-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.registry@custom"
- "logs-endpoint.events.registry@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.security:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.security-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.security@custom"
- "logs-endpoint.events.security@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.filebeat: so-logs-elastic_agent.filebeat:
index_sorting: False index_sorting: False
index_template: index_template:
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
+6 -2
View File
@@ -72,8 +72,12 @@
{ "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } },
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}" } },
{ "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
{ "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
], ],
"on_failure": [ "on_failure": [
salt/elasticsearch/templates/component/ecs/agent.json
+7 -83
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"agent": { "agent": {
@@ -52,69 +12,33 @@
"properties": { "properties": {
"original": { "original": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"ephemeral_id": { "ephemeral_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/aws.json
+85 -653
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/azure.json
+115 -839
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/base.json
+2 -48
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"@timestamp": { "@timestamp": {
@@ -57,15 +17,9 @@
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/cef.json
+149 -1077
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/checkpoint.json
+334 -2372
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/cisco.json
+102 -748
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/client.json
+25 -227
View File
@@ -4,59 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"client": { "client": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -66,12 +20,6 @@
"organization": { "organization": {
"properties": { "properties": {
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
@@ -84,118 +32,52 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -204,13 +86,7 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -230,63 +106,27 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -294,75 +134,33 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -371,4 +169,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/cloud.json
+12 -118
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"cloud": { "cloud": {
@@ -52,57 +12,27 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"availability_zone": { "availability_zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"instance": { "instance": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -110,13 +40,7 @@
"properties": { "properties": {
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -124,57 +48,27 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"provider": { "provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region": { "region": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"service": { "service": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -183,4 +77,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/container.json
+6 -76
View File
@@ -4,81 +4,23 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"container": { "container": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"image": { "image": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tag": { "tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -87,27 +29,15 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"runtime": { "runtime": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/cyberark.json
+64 -482
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"cyberarkpas": { "cyberarkpas": {
@@ -52,565 +12,241 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ca_properties": { "ca_properties": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpm_disabled": { "cpm_disabled": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpm_error_details": { "cpm_error_details": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpm_status": { "cpm_status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"creation_method": { "creation_method": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"customer": { "customer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"database": { "database": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"device_type": { "device_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dual_account_status": { "dual_account_status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"group_name": { "group_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"in_process": { "in_process": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"index": { "index": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_fail_date": { "last_fail_date": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_success_change": { "last_success_change": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_success_reconciliation": { "last_success_reconciliation": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_success_verification": { "last_success_verification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"last_task": { "last_task": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logon_domain": { "logon_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"other": { "other": {
"type": "flattened" "type": "flattened"
}, },
"policy_id": { "policy_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"port": { "port": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"privcloud": { "privcloud": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reset_immediately": { "reset_immediately": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"retries_count": { "retries_count": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sequence_id": { "sequence_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user_dn": { "user_dn": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user_name": { "user_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_username": { "virtual_username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"desc": { "desc": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"extra_details": { "extra_details": {
"properties": { "properties": {
"ad_process_id": { "ad_process_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ad_process_name": { "ad_process_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_type": { "application_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"command": { "command": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"connection_component_id": { "connection_component_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dst_host": { "dst_host": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logon_account": { "logon_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"managed_account": { "managed_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"other": { "other": {
"type": "flattened" "type": "flattened"
}, },
"process_id": { "process_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"process_name": { "process_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"psmid": { "psmid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_duration": { "session_duration": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_id": { "session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_host": { "src_host": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"username": { "username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"file": { "file": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"gateway_station": { "gateway_station": {
"type": "ip" "type": "ip"
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"iso_timestamp": { "iso_timestamp": {
"type": "date" "type": "date"
}, },
"issuer": { "issuer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"doc_values": false, "doc_values": false,
"ignore_above": 4096, "ignore_above": 4096,
"index": false, "index": false,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message": { "message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message_id": { "message_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pvwa_details": { "pvwa_details": {
"type": "flattened" "type": "flattened"
@@ -619,99 +255,45 @@
"doc_values": false, "doc_values": false,
"ignore_above": 4096, "ignore_above": 4096,
"index": false, "index": false,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reason": { "reason": {
"norms": false, "norms": false,
"type": "text", "type": "text"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rfc5424": { "rfc5424": {
"type": "boolean" "type": "boolean"
}, },
"safe": { "safe": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_user": { "source_user": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"station": { "station": {
"type": "ip" "type": "ip"
}, },
"target_user": { "target_user": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vendor": { "vendor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -720,4 +302,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/data_stream.json
+1 -41
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"data_stream": { "data_stream": {
@@ -62,4 +22,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/destination.json
+25 -227
View File
@@ -4,59 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"destination": { "destination": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -66,12 +20,6 @@
"organization": { "organization": {
"properties": { "properties": {
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
@@ -84,118 +32,52 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -204,13 +86,7 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -230,63 +106,27 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -294,75 +134,33 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -371,4 +169,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/dll.json
+20 -174
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dll": { "dll": {
@@ -52,56 +12,26 @@
"properties": { "properties": {
"digest_algorithm": { "digest_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"exists": { "exists": {
"type": "boolean" "type": "boolean"
}, },
"signing_id": { "signing_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject_name": { "subject_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"team_id": { "team_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
@@ -118,147 +48,63 @@
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha512": { "sha512": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ssdeep": { "ssdeep": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pe": { "pe": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"company": { "company": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_version": { "file_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"imphash": { "imphash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original_file_name": { "original_file_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -267,4 +113,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/dns.json
+16 -146
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dns": { "dns": {
@@ -52,141 +12,63 @@
"properties": { "properties": {
"class": { "class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"data": { "data": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ttl": { "ttl": {
"type": "long" "type": "long"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
}, },
"header_flags": { "header_flags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"op_code": { "op_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"question": { "question": {
"properties": { "properties": {
"class": { "class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -195,27 +77,15 @@
}, },
"response_code": { "response_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/ecs.json
+2 -48
View File
@@ -4,63 +4,17 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"ecs": { "ecs": {
"properties": { "properties": {
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/elasticsearch.json
+2 -48
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"@timestamp": { "@timestamp": {
@@ -57,15 +17,9 @@
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/error.json
+4 -66
View File
@@ -4,79 +4,23 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"error": { "error": {
"properties": { "properties": {
"code": { "code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message": { "message": {
"type": "match_only_text" "type": "match_only_text"
}, },
"stack_trace": { "stack_trace": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -85,17 +29,11 @@
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/event.json
+18 -160
View File
@@ -4,102 +4,32 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"event": { "event": {
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"agent_id_status": { "agent_id_status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"code": { "code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"created": { "created": {
"type": "date" "type": "date"
}, },
"dataset": { "dataset": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"duration": { "duration": {
"type": "long" "type": "long"
@@ -109,97 +39,43 @@
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ingested": { "ingested": {
"type": "date" "type": "date"
}, },
"kind": { "kind": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"module": { "module": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original": { "original": {
"doc_values": false, "doc_values": false,
"index": false, "index": false,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"outcome": { "outcome": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"provider": { "provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"risk_score": { "risk_score": {
"type": "float" "type": "float"
@@ -218,37 +94,19 @@
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/file.json
+71 -543
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
@@ -53,68 +13,32 @@
}, },
"attributes": { "attributes": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"code_signature": { "code_signature": {
"properties": { "properties": {
"digest_algorithm": { "digest_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"exists": { "exists": {
"type": "boolean" "type": "boolean"
}, },
"signing_id": { "signing_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject_name": { "subject_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"team_id": { "team_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
@@ -135,65 +59,29 @@
}, },
"device": { "device": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"directory": { "directory": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"drive_letter": { "drive_letter": {
"ignore_above": 1, "ignore_above": 1,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"elf": { "elf": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"byte_order": { "byte_order": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpu_type": { "cpu_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"creation_date": { "creation_date": {
"type": "date" "type": "date"
@@ -205,76 +93,34 @@
"properties": { "properties": {
"abi_version": { "abi_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"class": { "class": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"data": { "data": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"entrypoint": { "entrypoint": {
"type": "long" "type": "long"
}, },
"object_version": { "object_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os_abi": { "os_abi": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -291,46 +137,22 @@
}, },
"flags": { "flags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"physical_offset": { "physical_offset": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"physical_size": { "physical_size": {
"type": "long" "type": "long"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_address": { "virtual_address": {
"type": "long" "type": "long"
@@ -345,203 +167,89 @@
"properties": { "properties": {
"sections": { "sections": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "nested" "type": "nested"
}, },
"shared_libraries": { "shared_libraries": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"telfhash": { "telfhash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"extension": { "extension": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"fork_name": { "fork_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"gid": { "gid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"group": { "group": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hash": { "hash": {
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha512": { "sha512": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ssdeep": { "ssdeep": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"inode": { "inode": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mime_type": { "mime_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mode": { "mode": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mtime": { "mtime": {
"type": "date" "type": "date"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"owner": { "owner": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -549,73 +257,31 @@
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"company": { "company": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_version": { "file_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"imphash": { "imphash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original_file_name": { "original_file_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -623,118 +289,52 @@
"type": "long" "type": "long"
}, },
"target_path": { "target_path": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uid": { "uid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"x509": { "x509": {
"properties": { "properties": {
"alternative_names": { "alternative_names": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuer": { "issuer": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -746,23 +346,11 @@
}, },
"public_key_algorithm": { "public_key_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_curve": { "public_key_curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_exponent": { "public_key_exponent": {
"doc_values": false, "doc_values": false,
@@ -774,107 +362,47 @@
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_algorithm": { "signature_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version_number": { "version_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -883,4 +411,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/fortinet.json
+304 -2162
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/gcp.json
+42 -328
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"gcp": { "gcp": {
@@ -54,35 +14,17 @@
"properties": { "properties": {
"authority_selector": { "authority_selector": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"principal_email": { "principal_email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"method_name": { "method_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"num_response_items": { "num_response_items": {
"type": "long" "type": "long"
@@ -91,43 +33,19 @@
"properties": { "properties": {
"filter": { "filter": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"proto_name": { "proto_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resource_name": { "resource_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -138,13 +56,7 @@
}, },
"caller_supplied_user_agent": { "caller_supplied_user_agent": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -152,25 +64,13 @@
"properties": { "properties": {
"current_locations": { "current_locations": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"resource_name": { "resource_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"response": { "response": {
"properties": { "properties": {
@@ -178,77 +78,35 @@
"properties": { "properties": {
"group": { "group": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"kind": { "kind": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uid": { "uid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"proto_name": { "proto_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"service_name": { "service_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"properties": { "properties": {
@@ -257,25 +115,13 @@
}, },
"message": { "message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -285,33 +131,15 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region": { "region": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -319,33 +147,15 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subnetwork_name": { "subnetwork_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vpc_name": { "vpc_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -357,96 +167,42 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"destination_range": { "destination_range": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"direction": { "direction": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"priority": { "priority": {
"type": "long" "type": "long"
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_range": { "source_range": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_service_account": { "source_service_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_tag": { "source_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target_service_account": { "target_service_account": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target_tag": { "target_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -458,33 +214,15 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region": { "region": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -492,33 +230,15 @@
"properties": { "properties": {
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subnetwork_name": { "subnetwork_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vpc_name": { "vpc_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -528,13 +248,7 @@
"properties": { "properties": {
"reporter": { "reporter": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rtt": { "rtt": {
"properties": { "properties": {
@@ -550,4 +264,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/google_workspace.json
+121 -881
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/group.json
+4 -62
View File
@@ -4,83 +4,25 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"group": { "group": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/host.json
+31 -275
View File
@@ -4,59 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"host": { "host": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cpu": { "cpu": {
"properties": { "properties": {
@@ -86,163 +40,73 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ip": { "ip": {
"type": "ip" "type": "ip"
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"network": { "network": {
"properties": { "properties": {
@@ -272,85 +136,37 @@
"properties": { "properties": {
"family": { "family": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"kernel": { "kernel": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"platform": { "platform": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uptime": { "uptime": {
"type": "long" "type": "long"
@@ -359,31 +175,13 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -391,75 +189,33 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -468,4 +224,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/http.json
+7 -91
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"http": { "http": {
@@ -57,10 +17,6 @@
}, },
"content": { "content": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -74,43 +30,19 @@
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"method": { "method": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mime_type": { "mime_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"referrer": { "referrer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -123,10 +55,6 @@
}, },
"content": { "content": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -140,13 +68,7 @@
}, },
"mime_type": { "mime_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status_code": { "status_code": {
"type": "long" "type": "long"
@@ -155,17 +77,11 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/juniper.json
+71 -531
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"juniper": { "juniper": {
@@ -52,113 +12,47 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"action_detail": { "action_detail": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"alert": { "alert": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"apbr_rule_type": { "apbr_rule_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application": { "application": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_category": { "application_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_characteristics": { "application_characteristics": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_name": { "application_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_sub_category": { "application_sub_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"attack_name": { "attack_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"client_ip": { "client_ip": {
"type": "ip" "type": "ip"
@@ -168,181 +62,85 @@
}, },
"connection_tag": { "connection_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"context_hit_rate": { "context_hit_rate": {
"type": "long" "type": "long"
}, },
"context_name": { "context_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"context_value": { "context_value": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"context_value_hit_rate": { "context_value_hit_rate": {
"type": "long" "type": "long"
}, },
"ddos_application_name": { "ddos_application_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dscp_value": { "dscp_value": {
"type": "long" "type": "long"
}, },
"dst_nat_rule_name": { "dst_nat_rule_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dst_nat_rule_type": { "dst_nat_rule_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dst_vrf_grp": { "dst_vrf_grp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"elapsed_time": { "elapsed_time": {
"type": "date" "type": "date"
}, },
"encrypted": { "encrypted": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"epoch_time": { "epoch_time": {
"type": "date" "type": "date"
}, },
"error_code": { "error_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"error_message": { "error_message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"export_id": { "export_id": {
"type": "long" "type": "long"
}, },
"feed_name": { "feed_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_category": { "file_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_hash_lookup": { "file_hash_lookup": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"file_name": { "file_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"filename": { "filename": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"icmp_type": { "icmp_type": {
"type": "long" "type": "long"
@@ -355,93 +153,39 @@
}, },
"index": { "index": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logical_system_name": { "logical_system_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"malware_info": { "malware_info": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message": { "message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"message_type": { "message_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat_connection_tag": { "nat_connection_tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nested_application": { "nested_application": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"obj": { "obj": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"occur_count": { "occur_count": {
"type": "long" "type": "long"
@@ -463,13 +207,7 @@
}, },
"peer_session_id": { "peer_session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"peer_source_address": { "peer_source_address": {
"type": "ip" "type": "ip"
@@ -479,286 +217,118 @@
}, },
"policy_name": { "policy_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"process": { "process": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"profile": { "profile": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"profile_name": { "profile_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol_id": { "protocol_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol_name": { "protocol_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"repeat_count": { "repeat_count": {
"type": "long" "type": "long"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"routing_instance": { "routing_instance": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rule_name": { "rule_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ruleebase_name": { "ruleebase_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sample_sha256": { "sample_sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"secure_web_proxy_session_type": { "secure_web_proxy_session_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"service_name": { "service_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_id": { "session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_id_32": { "session_id_32": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_nat_rule_name": { "src_nat_rule_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_nat_rule_type": { "src_nat_rule_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"src_vrf_grp": { "src_vrf_grp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sub_category": { "sub_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tag": { "tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"temporary_filename": { "temporary_filename": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tenant_id": { "tenant_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"th": { "th": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threat_severity": { "threat_severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"time_count": { "time_count": {
"type": "long" "type": "long"
@@ -768,26 +338,14 @@
}, },
"time_scope": { "time_scope": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uplink_rx_bytes": { "uplink_rx_bytes": {
"type": "long" "type": "long"
@@ -797,36 +355,18 @@
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"username": { "username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"verdict_number": { "verdict_number": {
"type": "long" "type": "long"
}, },
"verdict_source": { "verdict_source": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -835,4 +375,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/kibana.json
+13 -125
View File
@@ -4,99 +4,29 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"kibana": { "kibana": {
"properties": { "properties": {
"add_to_spaces": { "add_to_spaces": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_provider": { "authentication_provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_realm": { "authentication_realm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_type": { "authentication_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"delete_from_spaces": { "delete_from_spaces": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"log": { "log": {
"properties": { "properties": {
@@ -105,83 +35,41 @@
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"lookup_realm": { "lookup_realm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"saved_object": { "saved_object": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"session_id": { "session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"space_id": { "space_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/log.json
+9 -97
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"log": { "log": {
@@ -52,35 +12,17 @@
"properties": { "properties": {
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"level": { "level": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"logger": { "logger": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"origin": { "origin": {
"properties": { "properties": {
@@ -91,38 +33,20 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"function": { "function": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"original": { "original": {
"doc_values": false, "doc_values": false,
"index": false, "index": false,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"syslog": { "syslog": {
"properties": { "properties": {
@@ -133,13 +57,7 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -153,13 +71,7 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -171,4 +83,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/logstash.json
+7 -107
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"logstash": { "logstash": {
@@ -54,44 +14,20 @@
"properties": { "properties": {
"action": { "action": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
}, },
"module": { "module": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pipeline_id": { "pipeline_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"thread": { "thread": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
@@ -100,42 +36,18 @@
"slowlog": { "slowlog": {
"properties": { "properties": {
"event": { "event": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"module": { "module": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"plugin_name": { "plugin_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"plugin_params": { "plugin_params": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -144,21 +56,9 @@
}, },
"plugin_type": { "plugin_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"thread": { "thread": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -172,4 +72,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/microsoft.json
+53 -405
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"microsoft": { "microsoft": {
@@ -52,156 +12,72 @@
"properties": { "properties": {
"assignedTo": { "assignedTo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"determination": { "determination": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"evidence": { "evidence": {
"properties": { "properties": {
"aadUserId": { "aadUserId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"accountName": { "accountName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"domainName": { "domainName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"entityType": { "entityType": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ipAddress": { "ipAddress": {
"type": "ip" "type": "ip"
}, },
"userPrincipalName": { "userPrincipalName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"incidentId": { "incidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationId": { "investigationId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationState": { "investigationState": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"lastUpdateTime": { "lastUpdateTime": {
"type": "date" "type": "date"
}, },
"rbacGroupName": { "rbacGroupName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resolvedTime": { "resolvedTime": {
"type": "date" "type": "date"
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threatFamilyName": { "threatFamilyName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -211,56 +87,26 @@
"properties": { "properties": {
"actorName": { "actorName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"assignedTo": { "assignedTo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"creationTime": { "creationTime": {
"type": "date" "type": "date"
}, },
"detectionSource": { "detectionSource": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"determination": { "determination": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"devices": { "devices": {
"type": "flattened" "type": "flattened"
@@ -269,343 +115,145 @@
"properties": { "properties": {
"accountName": { "accountName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"clusterBy": { "clusterBy": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"deliveryAction": { "deliveryAction": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"deviceId": { "deviceId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"entityType": { "entityType": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ipAddress": { "ipAddress": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mailboxAddress": { "mailboxAddress": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mailboxDisplayName": { "mailboxDisplayName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"recipient": { "recipient": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registryHive": { "registryHive": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registryKey": { "registryKey": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registryValueType": { "registryValueType": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"securityGroupId": { "securityGroupId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"securityGroupName": { "securityGroupName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sender": { "sender": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"incidentId": { "incidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationId": { "investigationId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationState": { "investigationState": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"lastUpdatedTime": { "lastUpdatedTime": {
"type": "date" "type": "date"
}, },
"mitreTechniques": { "mitreTechniques": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resolvedTime": { "resolvedTime": {
"type": "date" "type": "date"
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"threatFamilyName": { "threatFamilyName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"userSid": { "userSid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"assignedTo": { "assignedTo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"determination": { "determination": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"incidentId": { "incidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"incidentName": { "incidentName": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"investigationState": { "investigationState": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"redirectIncidentId": { "redirectIncidentId": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tags": { "tags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -614,4 +262,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/misp.json
+82 -608
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/netflow.json
+48 -370
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"netflow": { "netflow": {
@@ -74,56 +34,26 @@
}, },
"application_category_name": { "application_category_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_description": { "application_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_group_name": { "application_group_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_id": { "application_id": {
"type": "short" "type": "short"
}, },
"application_name": { "application_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"application_sub_category_name": { "application_sub_category_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"bgp_destination_as_number": { "bgp_destination_as_number": {
"type": "long" "type": "long"
@@ -154,13 +84,7 @@
}, },
"class_name": { "class_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification_engine_id": { "classification_engine_id": {
"type": "short" "type": "short"
@@ -227,13 +151,7 @@
}, },
"destination_mac_address": { "destination_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"destination_transport_port": { "destination_transport_port": {
"type": "long" "type": "long"
@@ -264,26 +182,14 @@
}, },
"dot1q_customer_destination_mac_address": { "dot1q_customer_destination_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dot1q_customer_priority": { "dot1q_customer_priority": {
"type": "short" "type": "short"
}, },
"dot1q_customer_source_mac_address": { "dot1q_customer_source_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dot1q_customer_vlan_id": { "dot1q_customer_vlan_id": {
"type": "long" "type": "long"
@@ -347,13 +253,7 @@
}, },
"encrypted_technology": { "encrypted_technology": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"engine_id": { "engine_id": {
"type": "short" "type": "short"
@@ -398,13 +298,7 @@
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_id": { "source_id": {
"type": "long" "type": "long"
@@ -572,76 +466,34 @@
}, },
"http_content_type": { "http_content_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_message_version": { "http_message_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_reason_phrase": { "http_reason_phrase": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_request_host": { "http_request_host": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_request_method": { "http_request_method": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_request_target": { "http_request_target": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http_status_code": { "http_status_code": {
"type": "long" "type": "long"
}, },
"http_user_agent": { "http_user_agent": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"icmp_code_ipv4": { "icmp_code_ipv4": {
"type": "short" "type": "short"
@@ -684,13 +536,7 @@
}, },
"information_element_description": { "information_element_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"information_element_id": { "information_element_id": {
"type": "long" "type": "long"
@@ -700,13 +546,7 @@
}, },
"information_element_name": { "information_element_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"information_element_range_begin": { "information_element_range_begin": {
"type": "long" "type": "long"
@@ -749,23 +589,11 @@
}, },
"interface_description": { "interface_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"interface_name": { "interface_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"intermediate_process_id": { "intermediate_process_id": {
"type": "long" "type": "long"
@@ -913,13 +741,7 @@
}, },
"metro_evc_id": { "metro_evc_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"metro_evc_type": { "metro_evc_type": {
"type": "short" "type": "short"
@@ -932,59 +754,29 @@
}, },
"mib_context_name": { "mib_context_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_index_indicator": { "mib_index_indicator": {
"type": "long" "type": "long"
}, },
"mib_module_name": { "mib_module_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_description": { "mib_object_description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_identifier": { "mib_object_identifier": {
"type": "short" "type": "short"
}, },
"mib_object_name": { "mib_object_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_syntax": { "mib_object_syntax": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mib_object_value_bits": { "mib_object_value_bits": {
"type": "short" "type": "short"
@@ -1042,23 +834,11 @@
}, },
"mobile_imsi": { "mobile_imsi": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mobile_msisdn": { "mobile_msisdn": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"monitoring_interval_end_milli_seconds": { "monitoring_interval_end_milli_seconds": {
"type": "date" "type": "date"
@@ -1149,13 +929,7 @@
}, },
"nat_pool_name": { "nat_pool_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat_quota_exceeded_event": { "nat_quota_exceeded_event": {
"type": "long" "type": "long"
@@ -1189,13 +963,7 @@
}, },
"observation_domain_name": { "observation_domain_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"observation_point_id": { "observation_point_id": {
"type": "long" "type": "long"
@@ -1253,13 +1021,7 @@
}, },
"p2p_technology": { "p2p_technology": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"packet_delta_count": { "packet_delta_count": {
"type": "long" "type": "long"
@@ -1290,13 +1052,7 @@
}, },
"post_destination_mac_address": { "post_destination_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"post_dot1q_customer_vlan_id": { "post_dot1q_customer_vlan_id": {
"type": "long" "type": "long"
@@ -1372,13 +1128,7 @@
}, },
"post_source_mac_address": { "post_source_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"post_vlan_id": { "post_vlan_id": {
"type": "long" "type": "long"
@@ -1430,13 +1180,7 @@
}, },
"sampler_name": { "sampler_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sampler_random_interval": { "sampler_random_interval": {
"type": "long" "type": "long"
@@ -1503,13 +1247,7 @@
}, },
"selector_name": { "selector_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_scope": { "session_scope": {
"type": "short" "type": "short"
@@ -1534,13 +1272,7 @@
}, },
"source_mac_address": { "source_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"source_transport_port": { "source_transport_port": {
"type": "long" "type": "long"
@@ -1556,13 +1288,7 @@
}, },
"sta_mac_address": { "sta_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"system_init_time_milliseconds": { "system_init_time_milliseconds": {
"type": "date" "type": "date"
@@ -1629,23 +1355,11 @@
}, },
"tunnel_technology": { "tunnel_technology": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"udp_destination_port": { "udp_destination_port": {
"type": "long" "type": "long"
@@ -1661,13 +1375,7 @@
}, },
"user_name": { "user_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"value_distribution_method": { "value_distribution_method": {
"type": "short" "type": "short"
@@ -1677,23 +1385,11 @@
}, },
"virtual_station_interface_name": { "virtual_station_interface_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_station_name": { "virtual_station_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"virtual_station_uuid": { "virtual_station_uuid": {
"type": "short" "type": "short"
@@ -1706,40 +1402,22 @@
}, },
"vr_fname": { "vr_fname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"wlan_channel_id": { "wlan_channel_id": {
"type": "short" "type": "short"
}, },
"wlan_ssid": { "wlan_ssid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"wtp_mac_address": { "wtp_mac_address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/network.json
+13 -125
View File
@@ -4,95 +4,31 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"network": { "network": {
"properties": { "properties": {
"application": { "application": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"bytes": { "bytes": {
"type": "long" "type": "long"
}, },
"community_id": { "community_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"direction": { "direction": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"forwarded_ip": { "forwarded_ip": {
"type": "ip" "type": "ip"
}, },
"iana_number": { "iana_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"inner": { "inner": {
"properties": { "properties": {
@@ -100,23 +36,11 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -125,68 +49,32 @@
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"packets": { "packets": {
"type": "long" "type": "long"
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"transport": { "transport": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vlan": { "vlan": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -195,4 +83,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/o365.json
+88 -650
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/observer.json
+36 -298
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"observer": { "observer": {
@@ -54,33 +14,15 @@
"properties": { "properties": {
"alias": { "alias": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -88,35 +30,17 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
@@ -125,118 +49,52 @@
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hostname": { "hostname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ingress": { "ingress": {
"properties": { "properties": {
@@ -244,33 +102,15 @@
"properties": { "properties": {
"alias": { "alias": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -278,35 +118,17 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
}, },
"type": "object" "type": "object"
@@ -316,151 +138,67 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os": { "os": {
"properties": { "properties": {
"family": { "family": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"kernel": { "kernel": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"platform": { "platform": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"product": { "product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"vendor": { "vendor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/okta.json
+47 -363
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"okta": { "okta": {
@@ -52,43 +12,19 @@
"properties": { "properties": {
"alternate_id": { "alternate_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"display_name": { "display_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -96,56 +32,26 @@
"properties": { "properties": {
"authentication_provider": { "authentication_provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"authentication_step": { "authentication_step": {
"type": "long" "type": "long"
}, },
"credential_provider": { "credential_provider": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"credential_type": { "credential_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"external_session_id": { "external_session_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"interface": { "interface": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -153,23 +59,11 @@
"properties": { "properties": {
"device": { "device": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ip": { "ip": {
"type": "ip" "type": "ip"
@@ -178,45 +72,21 @@
"properties": { "properties": {
"browser": { "browser": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os": { "os": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"raw_user_agent": { "raw_user_agent": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"zone": { "zone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -226,75 +96,33 @@
"properties": { "properties": {
"device_fingerprint": { "device_fingerprint": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"request_id": { "request_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"request_uri": { "request_uri": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"suspicious_activity": { "suspicious_activity": {
"properties": { "properties": {
"browser": { "browser": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_city": { "event_city": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_country": { "event_country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_id": { "event_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_ip": { "event_ip": {
"type": "ip" "type": "ip"
@@ -307,43 +135,19 @@
}, },
"event_state": { "event_state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_transaction_id": { "event_transaction_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_type": { "event_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"os": { "os": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timestamp": { "timestamp": {
"type": "date" "type": "date"
@@ -352,23 +156,11 @@
}, },
"threat_suspected": { "threat_suspected": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -376,45 +168,21 @@
}, },
"display_message": { "display_message": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"event_type": { "event_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"outcome": { "outcome": {
"properties": { "properties": {
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"result": { "result": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -426,46 +194,22 @@
"properties": { "properties": {
"city": { "city": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geolocation": { "geolocation": {
"type": "geo_point" "type": "geo_point"
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -474,23 +218,11 @@
}, },
"source": { "source": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -507,13 +239,7 @@
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -521,38 +247,20 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"is_proxy": { "is_proxy": {
"type": "boolean" "type": "boolean"
}, },
"isp": { "isp": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target": { "target": {
"type": "flattened" "type": "flattened"
@@ -561,49 +269,25 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"uuid": { "uuid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/orchestrator.json
+10 -104
View File
@@ -4,151 +4,57 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"orchestrator": { "orchestrator": {
"properties": { "properties": {
"api_version": { "api_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cluster": { "cluster": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"url": { "url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"namespace": { "namespace": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resource": { "resource": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/organization.json
+2 -54
View File
@@ -4,67 +4,15 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"organization": { "organization": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
@@ -73,4 +21,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/package.json
+12 -118
View File
@@ -4,169 +4,63 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"package": { "package": {
"properties": { "properties": {
"architecture": { "architecture": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"build_version": { "build_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"checksum": { "checksum": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"install_scope": { "install_scope": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"installed": { "installed": {
"type": "date" "type": "date"
}, },
"license": { "license": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"size": { "size": {
"type": "long" "type": "long"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/process.json
+77 -629
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/redis.json
+5 -69
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"redis": { "redis": {
@@ -52,13 +12,7 @@
"properties": { "properties": {
"role": { "role": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -66,23 +20,11 @@
"properties": { "properties": {
"args": { "args": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cmd": { "cmd": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"duration": { "duration": {
"properties": { "properties": {
@@ -96,13 +38,7 @@
}, },
"key": { "key": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -111,4 +47,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/registry.json
+7 -83
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"registry": { "registry": {
@@ -52,72 +12,36 @@
"properties": { "properties": {
"bytes": { "bytes": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"strings": { "strings": {
"type": "wildcard" "type": "wildcard"
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hive": { "hive": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"key": { "key": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"value": { "value": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/related.json
+4 -62
View File
@@ -4,86 +4,28 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"related": { "related": {
"properties": { "properties": {
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hosts": { "hosts": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ip": { "ip": {
"type": "ip" "type": "ip"
}, },
"user": { "user": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/rule.json
+11 -111
View File
@@ -4,153 +4,53 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"rule": { "rule": {
"properties": { "properties": {
"author": { "author": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"license": { "license": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ruleset": { "ruleset": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"uuid": { "uuid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/server.json
+25 -227
View File
@@ -4,59 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"server": { "server": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -66,12 +20,6 @@
"organization": { "organization": {
"properties": { "properties": {
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
@@ -84,118 +32,52 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -204,13 +86,7 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -230,63 +106,27 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -294,75 +134,33 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -371,4 +169,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/service.json
+10 -104
View File
@@ -4,147 +4,53 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"service": { "service": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"environment": { "environment": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ephemeral_id": { "ephemeral_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"node": { "node": {
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/snyk.json
+19 -167
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"snyk": { "snyk": {
@@ -55,23 +15,11 @@
}, },
"org_id": { "org_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"project_id": { "project_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -82,13 +30,7 @@
"properties": { "properties": {
"projects": { "projects": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -96,68 +38,32 @@
"properties": { "properties": {
"credit": { "credit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss3": { "cvss3": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"disclosure_time": { "disclosure_time": {
"type": "date" "type": "date"
}, },
"exploit_maturity": { "exploit_maturity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"identifiers": { "identifiers": {
"properties": { "properties": {
"alternative": { "alternative": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cwe": { "cwe": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -184,46 +90,22 @@
}, },
"jira_issue_url": { "jira_issue_url": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"language": { "language": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original_severity": { "original_severity": {
"type": "long" "type": "long"
}, },
"package": { "package": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"package_manager": { "package_manager": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"patches": { "patches": {
"type": "flattened" "type": "flattened"
@@ -236,56 +118,26 @@
}, },
"reachability": { "reachability": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"semver": { "semver": {
"type": "flattened" "type": "flattened"
}, },
"title": { "title": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"unique_severities_list": { "unique_severities_list": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -294,4 +146,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/sophos.json
+139 -1007
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/source.json
+25 -227
View File
@@ -4,59 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"source": { "source": {
"properties": { "properties": {
"address": { "address": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"as": { "as": {
"properties": { "properties": {
@@ -66,12 +20,6 @@
"organization": { "organization": {
"properties": { "properties": {
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
} }
@@ -84,118 +32,52 @@
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"geo": { "geo": {
"properties": { "properties": {
"city_name": { "city_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_code": { "continent_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"continent_name": { "continent_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_iso_code": { "country_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country_name": { "country_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"location": { "location": {
"type": "geo_point" "type": "geo_point"
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"postal_code": { "postal_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_iso_code": { "region_iso_code": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"region_name": { "region_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"timezone": { "timezone": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -204,13 +86,7 @@
}, },
"mac": { "mac": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"nat": { "nat": {
"properties": { "properties": {
@@ -230,63 +106,27 @@
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"user": { "user": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -294,75 +134,33 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -371,4 +169,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/suricata.json
+69 -517
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"suricata": { "suricata": {
@@ -54,268 +14,118 @@
"properties": { "properties": {
"affected_product": { "affected_product": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"attack_target": { "attack_target": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"capec_id": { "capec_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classtype": { "classtype": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"created_at": { "created_at": {
"type": "date" "type": "date"
}, },
"cve": { "cve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v2_base": { "cvss_v2_base": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v2_temporal": { "cvss_v2_temporal": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v3_base": { "cvss_v3_base": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cvss_v3_temporal": { "cvss_v3_temporal": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"cwe_id": { "cwe_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"deployment": { "deployment": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"former_category": { "former_category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"gid": { "gid": {
"type": "long" "type": "long"
}, },
"hostile": { "hostile": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"infected": { "infected": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"malware": { "malware": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"metadata": { "metadata": {
"type": "flattened" "type": "flattened"
}, },
"mitre_tool_id": { "mitre_tool_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"performance_impact": { "performance_impact": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"priority": { "priority": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocols": { "protocols": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rev": { "rev": {
"type": "long" "type": "long"
}, },
"rule_source": { "rule_source": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sid": { "sid": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature": { "signature": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_id": { "signature_id": {
"type": "long" "type": "long"
}, },
"signature_severity": { "signature_severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tag": { "tag": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"updated_at": { "updated_at": {
"type": "date" "type": "date"
@@ -324,43 +134,19 @@
}, },
"app_proto_expected": { "app_proto_expected": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"app_proto_orig": { "app_proto_orig": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"app_proto_tc": { "app_proto_tc": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"app_proto_ts": { "app_proto_ts": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"dns": { "dns": {
"properties": { "properties": {
@@ -369,43 +155,19 @@
}, },
"rcode": { "rcode": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rdata": { "rdata": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rrname": { "rrname": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rrtype": { "rrtype": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ttl": { "ttl": {
"type": "long" "type": "long"
@@ -415,13 +177,7 @@
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -429,25 +185,13 @@
"properties": { "properties": {
"status": { "status": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"event_type": { "event_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"fileinfo": { "fileinfo": {
"properties": { "properties": {
@@ -456,43 +200,19 @@
}, },
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"stored": { "stored": {
"type": "boolean" "type": "boolean"
@@ -512,67 +232,31 @@
}, },
"reason": { "reason": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"flow_id": { "flow_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"http": { "http": {
"properties": { "properties": {
"http_content_type": { "http_content_type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"protocol": { "protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"redirect": { "redirect": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -584,13 +268,7 @@
}, },
"in_iface": { "in_iface": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"pcap_cnt": { "pcap_cnt": {
"type": "long" "type": "long"
@@ -599,33 +277,15 @@
"properties": { "properties": {
"helo": { "helo": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"mail_from": { "mail_from": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"rcpt_to": { "rcpt_to": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -635,23 +295,11 @@
"properties": { "properties": {
"proto_version": { "proto_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"software_version": { "software_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -659,23 +307,11 @@
"properties": { "properties": {
"proto_version": { "proto_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"software_version": { "software_version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -1121,46 +757,22 @@
}, },
"state": { "state": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"syn": { "syn": {
"type": "boolean" "type": "boolean"
}, },
"tcp_flags": { "tcp_flags": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tcp_flags_tc": { "tcp_flags_tc": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"tcp_flags_ts": { "tcp_flags_ts": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -1168,45 +780,21 @@
"properties": { "properties": {
"fingerprint": { "fingerprint": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuerdn": { "issuerdn": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ja3": { "ja3": {
"properties": { "properties": {
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"string": { "string": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -1214,23 +802,11 @@
"properties": { "properties": {
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"string": { "string": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -1242,46 +818,22 @@
}, },
"serial": { "serial": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"session_resumed": { "session_resumed": {
"type": "boolean" "type": "boolean"
}, },
"sni": { "sni": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -1295,4 +847,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/syslog.json
+3 -55
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"syslog": { "syslog": {
@@ -53,30 +13,18 @@
}, },
"facility_label": { "facility_label": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"priority": { "priority": {
"type": "long" "type": "long"
}, },
"severity_label": { "severity_label": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/threat.json
+270 -1988
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/tls.json
+64 -482
View File
@@ -4,135 +4,47 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"tls": { "tls": {
"properties": { "properties": {
"cipher": { "cipher": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"client": { "client": {
"properties": { "properties": {
"certificate": { "certificate": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"certificate_chain": { "certificate_chain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hash": { "hash": {
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"issuer": { "issuer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ja3": { "ja3": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"not_after": { "not_after": {
"type": "date" "type": "date"
@@ -142,117 +54,51 @@
}, },
"server_name": { "server_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"supported_ciphers": { "supported_ciphers": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"x509": { "x509": {
"properties": { "properties": {
"alternative_names": { "alternative_names": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuer": { "issuer": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -264,23 +110,11 @@
}, },
"public_key_algorithm": { "public_key_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_curve": { "public_key_curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_exponent": { "public_key_exponent": {
"doc_values": false, "doc_values": false,
@@ -292,107 +126,47 @@
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_algorithm": { "signature_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version_number": { "version_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -400,26 +174,14 @@
}, },
"curve": { "curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"established": { "established": {
"type": "boolean" "type": "boolean"
}, },
"next_protocol": { "next_protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"resumed": { "resumed": {
"type": "boolean" "type": "boolean"
@@ -428,77 +190,35 @@
"properties": { "properties": {
"certificate": { "certificate": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"certificate_chain": { "certificate_chain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"hash": { "hash": {
"properties": { "properties": {
"md5": { "md5": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha1": { "sha1": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"sha256": { "sha256": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"issuer": { "issuer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"ja3s": { "ja3s": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"not_after": { "not_after": {
"type": "date" "type": "date"
@@ -508,97 +228,43 @@
}, },
"subject": { "subject": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"x509": { "x509": {
"properties": { "properties": {
"alternative_names": { "alternative_names": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"issuer": { "issuer": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -610,23 +276,11 @@
}, },
"public_key_algorithm": { "public_key_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_curve": { "public_key_curve": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"public_key_exponent": { "public_key_exponent": {
"doc_values": false, "doc_values": false,
@@ -638,107 +292,47 @@
}, },
"serial_number": { "serial_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"signature_algorithm": { "signature_algorithm": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subject": { "subject": {
"properties": { "properties": {
"common_name": { "common_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"country": { "country": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"distinguished_name": { "distinguished_name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"locality": { "locality": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organization": { "organization": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"organizational_unit": { "organizational_unit": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"state_or_province": { "state_or_province": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version_number": { "version_number": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -746,27 +340,15 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version_protocol": { "version_protocol": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/tracing.json
+4 -62
View File
@@ -4,59 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"span": { "span": {
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -64,13 +18,7 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -78,17 +26,11 @@
"properties": { "properties": {
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/url.json
+11 -119
View File
@@ -4,86 +4,24 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"url": { "url": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"extension": { "extension": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"fragment": { "fragment": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -92,10 +30,6 @@
}, },
"original": { "original": {
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": { "text": {
"type": "match_only_text" "type": "match_only_text"
} }
@@ -104,13 +38,7 @@
}, },
"password": { "password": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"path": { "path": {
"type": "wildcard" "type": "wildcard"
@@ -120,67 +48,31 @@
}, },
"query": { "query": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"registered_domain": { "registered_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"scheme": { "scheme": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"subdomain": { "subdomain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"top_level_domain": { "top_level_domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"username": { "username": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/user.json
+35 -319
View File
@@ -4,79 +4,25 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user": { "user": {
"properties": { "properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"changes": { "changes": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -84,117 +30,51 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"effective": { "effective": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -202,95 +82,41 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -298,105 +124,41 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"target": { "target": {
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"email": { "email": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full_name": { "full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -404,75 +166,29 @@
"properties": { "properties": {
"domain": { "domain": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"hash": { "hash": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"roles": { "roles": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
@@ -481,4 +197,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/user_agent.json
+9 -115
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user_agent": { "user_agent": {
@@ -52,33 +12,15 @@
"properties": { "properties": {
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"original": { "original": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
@@ -86,89 +28,41 @@
"properties": { "properties": {
"family": { "family": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"full": { "full": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"kernel": { "kernel": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"name": { "name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"platform": { "platform": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"type": { "type": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/vulnerability.json
+10 -110
View File
@@ -4,131 +4,43 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"vulnerability": { "vulnerability": {
"properties": { "properties": {
"category": { "category": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"classification": { "classification": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"description": { "description": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword" "type": "keyword"
}, },
"enumeration": { "enumeration": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"id": { "id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"reference": { "reference": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"report_id": { "report_id": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}, },
"scanner": { "scanner": {
"properties": { "properties": {
"vendor": { "vendor": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
@@ -145,29 +57,17 @@
}, },
"version": { "version": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
}, },
"severity": { "severity": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/ecs/winlog.json
+134 -978
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/ecs/zeek.json
+308 -2190
View File
File diff suppressed because it is too large Load Diff
salt/elasticsearch/templates/component/elastic-agent/so-fleet_agent_id_verification-1.json
+38 -60
View File
@@ -1,67 +1,45 @@
{ {
"template": { "template": {
"settings": { "settings": {
"analysis": { "index": {
"analyzer": { "final_pipeline": ".fleet_final_pipeline-1"
"es_security_analyzer": { }
"type": "custom", },
"char_filter": [ "mappings": {
"whitespace_no_way" "properties": {
], "event": {
"filter": [ "properties": {
"lowercase", "agent_id": {
"trim" "ignore_above": 1024,
], "type": "keyword"
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}, },
"index": { "agent_id_status": {
"final_pipeline": ".fleet_final_pipeline-1" "ignore_above": 1024,
} "type": "keyword"
}, },
"mappings": { "ingested": {
"properties": { "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"event": { "type": "date"
"properties": {
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis",
"type": "date"
}
}
}
} }
} }
}, },
"_meta": { "tags": {
"managed_by": "fleet", "ignore_above": 1024,
"managed": true "type": "keyword"
},
"network.initiated": {
"ignore_above": 1024,
"type": "keyword"
},
"destination.ipv6": {
"ignore_above": 1024,
"type": "keyword"
} }
} }
}
},
"_meta": {
"managed_by": "fleet",
"managed": true
}
}
salt/elasticsearch/templates/component/elastic-agent/so-fleet_globals-1.json
+22 -62
View File
@@ -1,66 +1,26 @@
{ {
"template": { "template": {
"settings": { "mappings": {
"analysis": { "_meta": {
"analyzer": { "managed_by": "security_onion",
"es_security_analyzer": { "managed": true
"type": "custom", },
"char_filter": [ "dynamic_templates": [
"whitespace_no_way" {
], "strings_as_keyword": {
"filter": [ "mapping": {
"lowercase", "ignore_above": 1024,
"trim" "type": "keyword"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"_meta": {
"managed_by": "security_onion",
"managed": true
}, },
"dynamic_templates": [ "match_mapping_type": "string"
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false
} }
},
"_meta": {
"managed_by": "security_onion",
"managed": true
} }
} ],
"date_detection": false
}
},
"_meta": {
"managed_by": "security_onion",
"managed": true
}
}
salt/elasticsearch/templates/component/so/case-mappings.json
+1 -41
View File
@@ -1,45 +1,5 @@
{ {
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"so_audit_doc_id": { "so_audit_doc_id": {
@@ -250,4 +210,4 @@
"_meta": { "_meta": {
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
} }
} }
salt/elasticsearch/templates/component/so/case-settings.json
+2 -53
View File
@@ -1,58 +1,7 @@
{ {
"template": { "template": {},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1, "version": 1,
"_meta": { "_meta": {
"description": "default settings for common Security Onion Cases indices" "description": "default settings for common Security Onion Cases indices"
} }
} }
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
+2 -52
View File
@@ -1,45 +1,5 @@
{ {
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"dynamic_templates": [ "dynamic_templates": [
{ {
@@ -75,17 +35,7 @@
{ {
"strings": { "strings": {
"mapping": { "mapping": {
"type": "text", "type": "keyword"
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
}, },
"match_mapping_type": "string" "match_mapping_type": "string"
} }
@@ -93,4 +43,4 @@
] ]
} }
} }
} }
salt/elasticsearch/templates/component/so/common-settings.json
+2 -53
View File
@@ -1,58 +1,7 @@
{ {
"template": { "template": {},
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1, "version": 1,
"_meta": { "_meta": {
"description": "default settings for common Security Onion indices" "description": "default settings for common Security Onion indices"
} }
} }
salt/elasticsearch/templates/component/so/dtc-agent-mappings.json
+1 -61
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"agent": { "agent": {
@@ -52,10 +12,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -65,10 +21,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -78,10 +30,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -91,10 +39,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -104,10 +48,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -118,4 +58,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-base-mappings.json
+1 -49
View File
@@ -4,55 +4,11 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"message": { "message": {
"type": "match_only_text", "type": "match_only_text",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -62,10 +18,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -74,4 +26,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-client-mappings.json
+6 -50
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"client": { "client": {
@@ -52,18 +12,14 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": { "keyword": {
"type": "text", "type": "keyword"
"analyzer": "es_security_analyzer" }
},
"keyword": {
"type": "keyword"
}
} }
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-destination-mappings.json
+6 -51
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"destination": { "destination": {
@@ -54,21 +14,16 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": { "keyword": {
"type": "text", "type": "keyword"
"analyzer": "es_security_analyzer" }
},
"keyword": {
"type": "keyword"
}
} }
} }
} }
} }
} }
} }
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-dns-mappings.json
+1 -45
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dns": { "dns": {
@@ -54,10 +14,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -70,4 +26,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json
+1 -45
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"ecs": { "ecs": {
@@ -52,10 +12,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -66,4 +22,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
+1 -81
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"event": { "event": {
@@ -52,10 +12,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -65,10 +21,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -77,10 +29,6 @@
"created": { "created": {
"type": "date", "type": "date",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -90,10 +38,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -102,10 +46,6 @@
"ingested": { "ingested": {
"type": "date", "type": "date",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -115,10 +55,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -128,10 +64,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -141,10 +73,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -154,10 +82,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -167,10 +91,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -181,4 +101,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
+2 -50
View File
@@ -4,53 +4,13 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
"properties": { "properties": {
"accessed": { "accessed": {
"type": "date", "type": "date",
"fields": { "fields": {
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -60,10 +20,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -73,10 +29,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -87,4 +39,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
+2 -54
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"host": { "host": {
@@ -52,23 +12,15 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }
}, },
"name": { "name": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -78,10 +30,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -92,4 +40,4 @@
} }
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-http-mappings.json
+1 -54
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"http": { "http": {
@@ -54,10 +14,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -65,16 +21,7 @@
}, },
"referrer": { "referrer": {
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword"
"fields": {
"text": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
}
}
} }
} }
} }
salt/elasticsearch/templates/component/so/dtc-network-mappings.json
+1 -49
View File
@@ -4,46 +4,6 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"network": { "network": {
@@ -52,10 +12,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -65,10 +21,6 @@
"ignore_above": 1024, "ignore_above": 1024,
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
@@ -79,4 +31,4 @@
} }
} }
} }
} }

Some files were not shown because too many files have changed in this diff Show More