CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-28 15:37:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #6794 from Security-Onion-Solutions/kilo

Browse Source 
Update field mappings based on Wes' feedback
This commit is contained in:
Jason Ertel
2022-01-07 16:03:05 -05:00
committed by GitHub
parent ed97fe0b65 66c9e20c6a
commit db04646735
2 changed files with 84 additions and 351 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/elasticsearch/templates/so/so-case-template.json.jinja
+83 -350
View File
@@ -36,149 +36,86 @@
"@timestamp": { "@timestamp": {
"type": "date" "type": "date"
}, },
"kind": {
"type": "keyword",
"ignore_above": 1024
},
"operation": {
"type": "keyword",
"ignore_above": 1024
},
"so_audit_doc_id": {
"type": "keyword",
"ignore_above": 1024
},
"artifact": { "artifact": {
"properties": { "properties": {
"artifactType": { "artifactType": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"caseId": { "caseId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"description": { "description": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"groupId": { "groupId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"groupType": { "groupType": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"ioc": { "ioc": {
"type": "boolean" "type": "boolean"
}, },
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"md5": { "md5": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"mimeType": { "mimeType": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"sha1": { "sha1": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"sha256": { "sha256": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"streamId": { "streamId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"streamLength": { "streamLength": {
"type": "long" "type": "long"
}, },
"tags": { "tags": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tlp": { "tlp": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"userId": { "userId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"value": { "value": {
"type": "text", "type": "text",
"fields": { "fields": {
"keyword": { "keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} }
} }
} }
@@ -187,65 +124,26 @@
"artifactstream": { "artifactstream": {
"properties": { "properties": {
"content": { "content": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"stream": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"userId": { "userId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
} }
} }
}, },
"case": { "case": {
"properties": { "properties": {
"assigneeId": { "assigneeId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"category": { "category": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"completeTime": { "completeTime": {
"type": "date" "type": "date"
@@ -254,272 +152,107 @@
"type": "date" "type": "date"
}, },
"description": { "description": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"pap": { "pap": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"priority": { "priority": {
"type": "long" "type": "long"
}, },
"severity": { "severity": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"startTime": { "startTime": {
"type": "date" "type": "date"
}, },
"status": { "status": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tags": { "tags": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"template": { "template": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"title": { "title": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tlp": { "tlp": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"userId": { "userId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
} }
} }
}, },
"comment": { "comment": {
"properties": { "properties": {
"caseId": { "caseId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"description": { "description": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"userId": { "userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
}
}
},
"operation": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
} }
} }
}, },
"related": { "related": {
"properties": { "properties": {
"caseId": { "caseId": {
"type": "text", "type": "keyword",
"fields": { "ignore_above": 1024
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"createTime": { "createTime": {
"type": "date" "type": "date"
}, },
"fields": { "fields": {
"properties": { "properties": {
"@timestamp": {
"type": "date"
},
"event": { "event": {
"properties": { "properties": {
"dataset": { "dataset": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"index": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} },
"module": {
"type": "keyword",
"ignore_above": 1024
},
"category": {
"type": "keyword",
"ignore_above": 1024
}
} }
}, },
"message": { "message": {
"type": "text", "type": "text"
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_score": {
"type": "long"
},
"soc_source": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"soc_timestamp": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}, },
"tags": { "tags": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
},
"timestamp": {
"type": "date"
}
}
},
"kind": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} }
} }
}, },
"userId": { "userId": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword",
"ignore_above": 256
}
}
}
}
},
"so_audit_doc_id": {
"type": "text",
"fields": {
"keyword": {
"type": "keyword", "type": "keyword",
"ignore_above": 256 "ignore_above": 1024
} }
} }
} }
salt/soc/files/soc/soc.json
+1 -1
View File
@@ -167,7 +167,7 @@
"eventFields": {{ hunt_eventfields | json }}, "eventFields": {{ hunt_eventfields | json }},
"queryBaseFilter": "", "queryBaseFilter": "",
"queryToggleFilters": [ "queryToggleFilters": [
{ "name": "caseExcludeToggle", "filter": "NOT _index:so-case*", "enabled": true } { "name": "caseExcludeToggle", "filter": "NOT _index:\"*:so-case*\"", "enabled": true }
], ],
"queries": {{ hunt_queries | json }}, "queries": {{ hunt_queries | json }},
"actions": {{ menu_actions | json }} "actions": {{ menu_actions | json }}