Prefix all SO fields to avoid potential conflicts with future ECS changes

2025-12-06 09:12:45 +01:00 · 2022-01-19 14:26:22 -05:00
parent d7ba1cedff
commit dc44a91398
4 changed files with 14 additions and 14 deletions
--- a/salt/elasticsearch/templates/so/so-case-template.json.jinja
+++ b/salt/elasticsearch/templates/so/so-case-template.json.jinja
@@ -36,11 +36,11 @@
      "@timestamp": {
        "type": "date"
      },
-      "kind": {
+      "so_kind": {
        "type": "keyword",
        "ignore_above": 1024
      },
-      "operation": {
+      "so_operation": {
        "type": "keyword",
        "ignore_above": 1024
      },      
@@ -48,7 +48,7 @@
        "type": "keyword",
        "ignore_above": 1024
      },
-      "artifact": {
+      "so_artifact": {
        "properties": {
          "artifactType": {
            "type": "keyword",
@@ -121,7 +121,7 @@
          }
        }
      },
-      "artifactstream": {
+      "so_artifactstream": {
        "properties": {
          "content": {
            "type": "text"
@@ -135,7 +135,7 @@
          }
        }
      },
-      "case": {
+      "so_case": {
        "properties": {
          "assigneeId": {
            "type": "keyword",
@@ -193,7 +193,7 @@
          }
        }
      },
-      "comment": {
+      "so_comment": {
        "properties": {
          "caseId": {
            "type": "keyword",
@@ -211,7 +211,7 @@
          }
        }
      },
-      "related": {
+      "so_related": {
        "properties": {
          "caseId": {
            "type": "keyword",
--- a/salt/soc/files/soc/cases.eventfields.json
+++ b/salt/soc/files/soc/cases.eventfields.json
@@ -1,3 +1,3 @@
 {
-  "default": ["soc_timestamp", "case.title", "case.status", "case.severity", "case.createTime"]
+  "default": ["soc_timestamp", "so_case.title", "so_case.status", "so_case.severity", "so_case.createTime"]
 }
--- a/salt/soc/files/soc/cases.queries.json
+++ b/salt/soc/files/soc/cases.queries.json
@@ -1,7 +1,7 @@
 [
-  { "name": "Open Cases", "query": "NOT case.status:closed AND NOT case.category:template" },
+  { "name": "Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template" },
-  { "name": "Closed Cases", "query": "case.status:closed AND NOT case.category:template" },
+  { "name": "Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template" },
-  { "name": "My Open Cases", "query": "NOT case.status:closed AND NOT case.category:template AND case.assigneeId:{myId}" },
+  { "name": "My Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" },
-  { "name": "My Closed Cases", "query": "case.status:closed AND NOT case.category:template AND case.assigneeId:{myId}" },  
+  { "name": "My Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" },  
-  { "name": "Templates", "query": "case.category:template" }
+  { "name": "Templates", "query": "so_case.category:template" }
 ]
--- a/salt/soc/files/soc/soc.json
+++ b/salt/soc/files/soc/soc.json
@@ -211,7 +211,7 @@
        "viewEnabled": true,
        "createLink": "/case/create",
        "eventFields": {{ cases_eventfields | json }},
-        "queryBaseFilter": "_index:\"*:so-case\" AND kind:case",
+        "queryBaseFilter": "_index:\"*:so-case\" AND so_kind:case",
        "queryToggleFilters": [
        ],
        "queries": {{ cases_queries | json }},