From de7b7ff98909ca1964a85d94d695bf8c6917642e Mon Sep 17 00:00:00 2001 From: Wes Date: Mon, 24 Jul 2023 18:35:02 +0000 Subject: [PATCH] Add endpoint --- salt/elasticfleet/defaults.yaml | 1 + salt/elasticsearch/defaults.yaml | 392 +++++++++++++++++++++++++++++++ 2 files changed, 393 insertions(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 93b5eba9a..46d496955 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -28,6 +28,7 @@ elasticfleet: - aws - azure - cloudflare + - endpoint - fim - github - google_workspace diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 3f29483e0..06e51cb1d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1312,6 +1312,398 @@ elasticsearch: name: elastic_agent managed_by: security_onion managed: true + so-logs-endpoint.alerts: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.alerts-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.alerts@custom" + - "logs-endpoint.alerts@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.api: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.api-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.api@custom" + - "logs-endpoint.events.api@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.file: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.file-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.file@custom" + - "logs-endpoint.events.file@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.library: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.library-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.library@custom" + - "logs-endpoint.events.library@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.network: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.network-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.network@custom" + - "logs-endpoint.events.network@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.process: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.process-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.process@custom" + - "logs-endpoint.events.process@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.registry: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.registry-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.registry@custom" + - "logs-endpoint.events.registry@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true + so-logs-endpoint.events.security: + index_sorting: False + index_template: + index_patterns: + - "logs-endpoint.events.security-*" + template: + settings: + index: + number_of_replicas: 0 + mapping: + total_fields: + limit: 5000 + sort: + field: "@timestamp" + order: desc + composed_of: + - "event-mappings" + - "logs-endpoint.events.security@custom" + - "logs-endpoint.events.security@package" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + hot: + min_age: 0ms + actions: + set_priority: + priority: 100 + rollover: + max_age: 30d + max_primary_shard_size: 50gb + cold: + min_age: 30d + actions: + set_priority: + priority: 0 + delete: + min_age: 365d + actions: + delete: {} + _meta: + package: + name: elastic_agent + managed_by: security_onion + managed: true so-logs-elastic_agent.filebeat: index_sorting: False index_template: