CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-26 01:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6794 from Security-Onion-Solutions/kilo

Browse Source 
Update field mappings based on Wes' feedback
This commit is contained in:
Jason Ertel
2022-01-07 16:03:05 -05:00
committed by GitHub
parent ed97fe0b65 66c9e20c6a
commit db04646735
2 changed files with 84 additions and 351 deletions
Download Patch File Download Diff File Expand all files Collapse all files

433
salt/elasticsearch/templates/so/so-case-template.json.jinja
View File

@@ -36,149 +36,86 @@
"@timestamp": {
"type": "date"
},
"kind": {
"type": "keyword",
"ignore_above": 1024
},
"operation": {
"type": "keyword",
"ignore_above": 1024
},
"so_audit_doc_id": {
"type": "keyword",
"ignore_above": 1024
},
"artifact": {
"properties": {
"artifactType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"caseId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"createTime": {
"type": "date"
},
"description": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "text"
},
"groupId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"groupType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"ioc": {
"type": "boolean"
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"md5": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"mimeType": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"sha1": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"sha256": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"streamId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"streamLength": {
"type": "long"
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"tlp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"value": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
"ignore_above": 1024
}
}
}
@@ -187,65 +124,26 @@
"artifactstream": {
"properties": {
"content": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "text"
},
"createTime": {
"type": "date"
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"stream": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
}
}
},
"case": {
"properties": {
"assigneeId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"category": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"completeTime": {
"type": "date"
@@ -254,272 +152,107 @@
"type": "date"
},
"description": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "text"
},
"pap": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"priority": {
"type": "long"
},
"severity": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"startTime": {
"type": "date"
},
"status": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"template": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"title": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "text"
},
"tlp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
}
}
},
"comment": {
"properties": {
"caseId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"createTime": {
"type": "date"
},
"description": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "text"
},
"userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"operation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
"ignore_above": 1024
}
}
},
"related": {
"properties": {
"caseId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "keyword",
"ignore_above": 1024
},
"createTime": {
"type": "date"
},
"fields": {
"properties": {
"@timestamp": {
"type": "date"
},
"event": {
"properties": {
"dataset": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"index": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
"ignore_above": 1024
},
"module": {
"type": "keyword",
"ignore_above": 1024
},
"category": {
"type": "keyword",
"ignore_above": 1024
}
}
},
"message": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_score": {
"type": "long"
},
"soc_source": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_timestamp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
"type": "text"
},
"tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timestamp": {
"type": "date"
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
"ignore_above": 1024
}
}
},
"userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"so_audit_doc_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
"ignore_above": 1024
}
}
}

2
salt/soc/files/soc/soc.json
View File

@@ -167,7 +167,7 @@
"eventFields": {{ hunt_eventfields | json }},
"queryBaseFilter": "",
"queryToggleFilters": [
{ "name": "caseExcludeToggle", "filter": "NOT _index:so-case*", "enabled": true }
{ "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true }
],
"queries": {{ hunt_queries | json }},
"actions": {{ menu_actions | json }}