From e10749a49581980074f5b1db7d8bb5d5c409457b Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 26 Jan 2022 17:16:29 +0000 Subject: [PATCH] Additional changes to template to accomodate default fields and keyword subfield --- .../so/so-common-template.json.jinja | 1015 ++++++++++++++++- 1 file changed, 1009 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/templates/so/so-common-template.json.jinja b/salt/elasticsearch/templates/so/so-common-template.json.jinja index 54ba21b55..cd3e8dea6 100644 --- a/salt/elasticsearch/templates/so/so-common-template.json.jinja +++ b/salt/elasticsearch/templates/so/so-common-template.json.jinja @@ -11,6 +11,979 @@ "index.refresh_interval":"{{ REFRESH }}", "index.routing.allocation.require.box_type":"hot", "index.mapping.total_fields.limit": "10000", + "index.max_docvalue_fields_search": 200, + "index.query" : { + "default_field": [ + "message", + "tags", + "agent.ephemeral_id", + "agent.id", + "agent.name", + "agent.type", + "agent.version", + "as.organization.name", + "client.address", + "client.as.organization.name", + "client.domain", + "client.geo.city_name", + "client.geo.continent_name", + "client.geo.country_iso_code", + "client.geo.country_name", + "client.geo.name", + "client.geo.region_iso_code", + "client.geo.region_name", + "client.mac", + "client.registered_domain", + "client.top_level_domain", + "client.user.domain", + "client.user.email", + "client.user.full_name", + "client.user.group.domain", + "client.user.group.id", + "client.user.group.name", + "client.user.hash", + "client.user.id", + "client.user.name", + "cloud.account.id", + "cloud.availability_zone", + "cloud.instance.id", + "cloud.instance.name", + "cloud.machine.type", + "cloud.provider", + "cloud.region", + "container.id", + "container.image.name", + "container.image.tag", + "container.name", + "container.runtime", + "destination.address", + "destination.as.organization.name", + "destination.domain", + "destination.geo.city_name", + "destination.geo.continent_name", + "destination.geo.country_iso_code", + "destination.geo.country_name", + "destination.geo.name", + "destination.geo.region_iso_code", + "destination.geo.region_name", + "destination.mac", + "destination.registered_domain", + "destination.top_level_domain", + "destination.user.domain", + "destination.user.email", + "destination.user.full_name", + "destination.user.group.domain", + "destination.user.group.id", + "destination.user.group.name", + "destination.user.hash", + "destination.user.id", + "destination.user.name", + "dns.answers.class", + "dns.answers.data", + "dns.answers.name", + "dns.answers.type", + "dns.header_flags", + "dns.id", + "dns.op_code", + "dns.question.class", + "dns.question.name", + "dns.question.registered_domain", + "dns.question.subdomain", + "dns.question.top_level_domain", + "dns.question.type", + "dns.response_code", + "dns.type", + "ecs.version", + "error.code", + "error.id", + "error.message", + "error.stack_trace", + "error.type", + "event.action", + "event.category", + "event.code", + "event.dataset", + "event.hash", + "event.id", + "event.kind", + "event.module", + "event.outcome", + "event.provider", + "event.timezone", + "event.type", + "file.device", + "file.directory", + "file.extension", + "file.gid", + "file.group", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.hash.sha512", + "file.inode", + "file.mode", + "file.name", + "file.owner", + "file.path", + "file.target_path", + "file.type", + "file.uid", + "geo.city_name", + "geo.continent_name", + "geo.country_iso_code", + "geo.country_name", + "geo.name", + "geo.region_iso_code", + "geo.region_name", + "group.domain", + "group.id", + "group.name", + "hash.md5", + "hash.sha1", + "hash.sha256", + "hash.sha512", + "host.architecture", + "host.geo.city_name", + "host.geo.continent_name", + "host.geo.country_iso_code", + "host.geo.country_name", + "host.geo.name", + "host.geo.region_iso_code", + "host.geo.region_name", + "host.hostname", + "host.id", + "host.mac", + "host.name", + "host.os.family", + "host.os.full", + "host.os.kernel", + "host.os.name", + "host.os.platform", + "host.os.version", + "host.type", + "host.user.domain", + "host.user.email", + "host.user.full_name", + "host.user.group.domain", + "host.user.group.id", + "host.user.group.name", + "host.user.hash", + "host.user.id", + "host.user.name", + "http.request.body.content", + "http.request.method", + "http.request.referrer", + "http.response.body.content", + "http.version", + "log.level", + "log.logger", + "log.origin.file.name", + "log.origin.function", + "log.syslog.facility.name", + "log.syslog.severity.name", + "network.application", + "network.community_id", + "network.direction", + "network.iana_number", + "network.name", + "network.protocol", + "network.transport", + "network.type", + "observer.geo.city_name", + "observer.geo.continent_name", + "observer.geo.country_iso_code", + "observer.geo.country_name", + "observer.geo.name", + "observer.geo.region_iso_code", + "observer.geo.region_name", + "observer.hostname", + "observer.mac", + "observer.name", + "observer.os.family", + "observer.os.full", + "observer.os.kernel", + "observer.os.name", + "observer.os.platform", + "observer.os.version", + "observer.product", + "observer.serial_number", + "observer.type", + "observer.vendor", + "observer.version", + "organization.id", + "organization.name", + "os.family", + "os.full", + "os.kernel", + "os.name", + "os.platform", + "os.version", + "package.architecture", + "package.checksum", + "package.description", + "package.install_scope", + "package.license", + "package.name", + "package.path", + "package.version", + "process.args", + "process.executable", + "process.hash.md5", + "process.hash.sha1", + "process.hash.sha256", + "process.hash.sha512", + "process.name", + "process.thread.name", + "process.title", + "process.working_directory", + "server.address", + "server.as.organization.name", + "server.domain", + "server.geo.city_name", + "server.geo.continent_name", + "server.geo.country_iso_code", + "server.geo.country_name", + "server.geo.name", + "server.geo.region_iso_code", + "server.geo.region_name", + "server.mac", + "server.registered_domain", + "server.top_level_domain", + "server.user.domain", + "server.user.email", + "server.user.full_name", + "server.user.group.domain", + "server.user.group.id", + "server.user.group.name", + "server.user.hash", + "server.user.id", + "server.user.name", + "service.ephemeral_id", + "service.id", + "service.name", + "service.node.name", + "service.state", + "service.type", + "service.version", + "source.address", + "source.as.organization.name", + "source.domain", + "source.geo.city_name", + "source.geo.continent_name", + "source.geo.country_iso_code", + "source.geo.country_name", + "source.geo.name", + "source.geo.region_iso_code", + "source.geo.region_name", + "source.mac", + "source.registered_domain", + "source.top_level_domain", + "source.user.domain", + "source.user.email", + "source.user.full_name", + "source.user.group.domain", + "source.user.group.id", + "source.user.group.name", + "source.user.hash", + "source.user.id", + "source.user.name", + "threat.framework", + "threat.tactic.id", + "threat.tactic.name", + "threat.tactic.reference", + "threat.technique.id", + "threat.technique.name", + "threat.technique.reference", + "trace.id", + "transaction.id", + "url.domain", + "url.extension", + "url.fragment", + "url.full", + "url.original", + "url.password", + "url.path", + "url.query", + "url.registered_domain", + "url.scheme", + "url.top_level_domain", + "url.username", + "user.domain", + "user.email", + "user.full_name", + "user.group.domain", + "user.group.id", + "user.group.name", + "user.hash", + "user.id", + "user.name", + "user_agent.device.name", + "user_agent.name", + "user_agent.original.text", + "user_agent.original", + "user_agent.os.family", + "user_agent.os.full", + "user_agent.os.kernel", + "user_agent.os.name", + "user_agent.os.platform", + "user_agent.os.version", + "user_agent.version", + "agent.hostname", + "timeseries.instance", + "cloud.image.id", + "host.os.build", + "host.os.codename", + "kubernetes.pod.name", + "kubernetes.pod.uid", + "kubernetes.namespace", + "kubernetes.node.name", + "kubernetes.node.hostname", + "kubernetes.replicaset.name", + "kubernetes.deployment.name", + "kubernetes.statefulset.name", + "kubernetes.container.name", + "jolokia.agent.version", + "jolokia.agent.id", + "jolokia.server.product", + "jolokia.server.version", + "jolokia.server.vendor", + "jolokia.url", + "log.source.address", + "stream", + "input.type", + "syslog.severity_label", + "syslog.facility_label", + "process.program", + "log.flags", + "user_agent.os.full_name", + "fileset.name", + "icmp.code", + "icmp.type", + "igmp.type", + "azure.eventhub", + "azure.consumer_group", + "kafka.topic", + "kafka.key", + "activemq.caller", + "activemq.thread", + "activemq.user", + "activemq.log.stack_trace", + "apache.access.ssl.protocol", + "apache.access.ssl.cipher", + "apache.error.module", + "user.terminal", + "user.audit.id", + "user.audit.name", + "user.audit.group.id", + "user.audit.group.name", + "user.filesystem.id", + "user.filesystem.name", + "user.filesystem.group.id", + "user.filesystem.group.name", + "user.owner.id", + "user.owner.name", + "user.owner.group.id", + "user.owner.group.name", + "user.saved.id", + "user.saved.name", + "user.saved.group.id", + "user.saved.group.name", + "auditd.log.old_auid", + "auditd.log.new_auid", + "auditd.log.old_ses", + "auditd.log.new_ses", + "auditd.log.items", + "auditd.log.item", + "auditd.log.tty", + "auditd.log.a0", + "bucket.name", + "bucket.arn", + "object.key", + "azure.subscription_id", + "azure.correlation_id", + "azure.tenant_id", + "azure.resource.id", + "azure.resource.group", + "azure.resource.provider", + "azure.resource.namespace", + "azure.resource.name", + "azure.resource.authorization_rule", + "cisco.asa.message_id", + "cisco.asa.suffix", + "cisco.asa.source_interface", + "cisco.asa.destination_interface", + "cisco.asa.rule_name", + "cisco.asa.source_username", + "cisco.asa.destination_username", + "cisco.asa.threat_level", + "cisco.asa.threat_category", + "cisco.asa.connection_id", + "cisco.ftd.message_id", + "cisco.ftd.suffix", + "cisco.ftd.source_interface", + "cisco.ftd.destination_interface", + "cisco.ftd.rule_name", + "cisco.ftd.source_username", + "cisco.ftd.destination_username", + "cisco.ftd.threat_level", + "cisco.ftd.threat_category", + "cisco.ftd.connection_id", + "cisco.ios.access_list", + "cisco.ios.facility", + "cisco.umbrella.identities", + "cisco.umbrella.categories", + "cisco.umbrella.policy_identity_type", + "cisco.umbrella.identity_types", + "cisco.umbrella.blocked_categories", + "cisco.umbrella.content_type", + "cisco.umbrella.sha_sha256", + "cisco.umbrella.av_detections", + "cisco.umbrella.puas", + "cisco.umbrella.amp_disposition", + "cisco.umbrella.amp_malware_name", + "cisco.umbrella.amp_score", + "cisco.umbrella.datacenter", + "cisco.umbrella.origin_id", + "coredns.id", + "coredns.query.class", + "coredns.query.name", + "coredns.query.type", + "coredns.response.code", + "coredns.response.flags", + "cef.version", + "cef.device.vendor", + "cef.device.product", + "cef.device.version", + "cef.device.event_class_id", + "cef.severity", + "cef.name", + "source.service.name", + "destination.service.name", + "elasticsearch.component", + "elasticsearch.cluster.uuid", + "elasticsearch.cluster.name", + "elasticsearch.node.id", + "elasticsearch.node.name", + "elasticsearch.index.name", + "elasticsearch.index.id", + "elasticsearch.shard.id", + "elasticsearch.audit.layer", + "elasticsearch.audit.event_type", + "elasticsearch.audit.origin.type", + "elasticsearch.audit.realm", + "elasticsearch.audit.user.realm", + "elasticsearch.audit.user.roles", + "elasticsearch.audit.user.run_as.name", + "elasticsearch.audit.user.run_as.realm", + "elasticsearch.audit.component", + "elasticsearch.audit.action", + "elasticsearch.audit.url.params", + "elasticsearch.audit.indices", + "elasticsearch.audit.request.id", + "elasticsearch.audit.request.name", + "elasticsearch.audit.message", + "elasticsearch.gc.phase.name", + "elasticsearch.gc.tags", + "elasticsearch.slowlog.logger", + "elasticsearch.slowlog.took", + "elasticsearch.slowlog.types", + "elasticsearch.slowlog.stats", + "elasticsearch.slowlog.search_type", + "elasticsearch.slowlog.source_query", + "elasticsearch.slowlog.extra_source", + "elasticsearch.slowlog.total_hits", + "elasticsearch.slowlog.total_shards", + "elasticsearch.slowlog.routing", + "elasticsearch.slowlog.id", + "elasticsearch.slowlog.type", + "elasticsearch.slowlog.source", + "envoyproxy.log_type", + "envoyproxy.response_flags", + "envoyproxy.request_id", + "envoyproxy.authority", + "envoyproxy.proxy_type", + "fortinet.file.hash.crc32", + "gcp.destination.instance.project_id", + "gcp.destination.instance.region", + "gcp.destination.instance.zone", + "gcp.destination.vpc.project_id", + "gcp.destination.vpc.vpc_name", + "gcp.destination.vpc.subnetwork_name", + "gcp.source.instance.project_id", + "gcp.source.instance.region", + "gcp.source.instance.zone", + "gcp.source.vpc.project_id", + "gcp.source.vpc.vpc_name", + "gcp.source.vpc.subnetwork_name", + "gcp.audit.type", + "gcp.audit.authentication_info.principal_email", + "gcp.audit.authentication_info.authority_selector", + "gcp.audit.method_name", + "gcp.audit.request.proto_name", + "gcp.audit.request.filter", + "gcp.audit.request.name", + "gcp.audit.request.resource_name", + "gcp.audit.request_metadata.caller_supplied_user_agent", + "gcp.audit.response.proto_name", + "gcp.audit.response.details.group", + "gcp.audit.response.details.kind", + "gcp.audit.response.details.name", + "gcp.audit.response.details.uid", + "gcp.audit.response.status", + "gcp.audit.resource_name", + "gcp.audit.resource_location.current_locations", + "gcp.audit.service_name", + "gcp.audit.status.message", + "gcp.firewall.rule_details.action", + "gcp.firewall.rule_details.direction", + "gcp.firewall.rule_details.reference", + "gcp.firewall.rule_details.source_range", + "gcp.firewall.rule_details.destination_range", + "gcp.firewall.rule_details.source_tag", + "gcp.firewall.rule_details.target_tag", + "gcp.firewall.rule_details.source_service_account", + "gcp.firewall.rule_details.target_service_account", + "gcp.vpcflow.reporter", + "haproxy.frontend_name", + "haproxy.backend_name", + "haproxy.server_name", + "haproxy.bind_name", + "haproxy.error_message", + "haproxy.source", + "haproxy.termination_state", + "haproxy.mode", + "haproxy.http.response.captured_cookie", + "haproxy.http.response.captured_headers", + "haproxy.http.request.captured_cookie", + "haproxy.http.request.captured_headers", + "haproxy.http.request.raw_request_line", + "ibmmq.errorlog.installation", + "ibmmq.errorlog.qmgr", + "ibmmq.errorlog.arithinsert", + "ibmmq.errorlog.commentinsert", + "ibmmq.errorlog.errordescription", + "ibmmq.errorlog.explanation", + "ibmmq.errorlog.action", + "ibmmq.errorlog.code", + "icinga.debug.facility", + "icinga.main.facility", + "icinga.startup.facility", + "iis.access.site_name", + "iis.access.server_name", + "iis.access.cookie", + "iis.error.reason_phrase", + "iis.error.queue_name", + "iptables.fragment_flags", + "iptables.input_device", + "iptables.output_device", + "iptables.tcp.flags", + "iptables.ubiquiti.input_zone", + "iptables.ubiquiti.output_zone", + "iptables.ubiquiti.rule_number", + "iptables.ubiquiti.rule_set", + "kafka.log.component", + "kafka.log.class", + "kafka.log.thread", + "kafka.log.trace.class", + "kafka.log.trace.message", + "kibana.session_id", + "kibana.space_id", + "kibana.saved_object.type", + "kibana.saved_object.id", + "kibana.add_to_spaces", + "kibana.delete_from_spaces", + "kibana.authentication_provider", + "kibana.authentication_type", + "kibana.authentication_realm", + "kibana.lookup_realm", + "kibana.log.tags", + "kibana.log.state", + "logstash.log.module", + "logstash.log.thread.text", + "logstash.log.thread", + "logstash.log.log_event.action", + "logstash.log.pipeline_id", + "logstash.slowlog.module", + "logstash.slowlog.thread.text", + "logstash.slowlog.thread", + "logstash.slowlog.event.text", + "logstash.slowlog.event", + "logstash.slowlog.plugin_name", + "logstash.slowlog.plugin_type", + "logstash.slowlog.plugin_params.text", + "logstash.slowlog.plugin_params", + "misp.attack_pattern.id", + "misp.attack_pattern.name", + "misp.attack_pattern.description", + "misp.attack_pattern.kill_chain_phases", + "misp.campaign.id", + "misp.campaign.name", + "misp.campaign.description", + "misp.campaign.aliases", + "misp.campaign.objective", + "misp.course_of_action.id", + "misp.course_of_action.name", + "misp.course_of_action.description", + "misp.identity.id", + "misp.identity.name", + "misp.identity.description", + "misp.identity.identity_class", + "misp.identity.labels", + "misp.identity.sectors", + "misp.identity.contact_information", + "misp.intrusion_set.id", + "misp.intrusion_set.name", + "misp.intrusion_set.description", + "misp.intrusion_set.aliases", + "misp.intrusion_set.goals", + "misp.intrusion_set.resource_level", + "misp.intrusion_set.primary_motivation", + "misp.intrusion_set.secondary_motivations", + "misp.malware.id", + "misp.malware.name", + "misp.malware.description", + "misp.malware.labels", + "misp.malware.kill_chain_phases", + "misp.note.id", + "misp.note.summary", + "misp.note.description", + "misp.note.authors", + "misp.note.object_refs", + "misp.threat_indicator.labels", + "misp.threat_indicator.id", + "misp.threat_indicator.version", + "misp.threat_indicator.type", + "misp.threat_indicator.description", + "misp.threat_indicator.feed", + "misp.threat_indicator.severity", + "misp.threat_indicator.confidence", + "misp.threat_indicator.kill_chain_phases", + "misp.threat_indicator.mitre_tactic", + "misp.threat_indicator.mitre_technique", + "misp.threat_indicator.attack_pattern", + "misp.threat_indicator.attack_pattern_kql", + "misp.threat_indicator.intrusion_set", + "misp.threat_indicator.campaign", + "misp.threat_indicator.threat_actor", + "misp.observed_data.id", + "misp.observed_data.objects", + "misp.report.id", + "misp.report.labels", + "misp.report.name", + "misp.report.description", + "misp.report.object_refs", + "misp.threat_actor.id", + "misp.threat_actor.labels", + "misp.threat_actor.name", + "misp.threat_actor.description", + "misp.threat_actor.aliases", + "misp.threat_actor.roles", + "misp.threat_actor.goals", + "misp.threat_actor.sophistication", + "misp.threat_actor.resource_level", + "misp.threat_actor.primary_motivation", + "misp.threat_actor.secondary_motivations", + "misp.threat_actor.personal_motivations", + "misp.tool.id", + "misp.tool.labels", + "misp.tool.name", + "misp.tool.description", + "misp.tool.tool_version", + "misp.tool.kill_chain_phases", + "misp.vulnerability.id", + "misp.vulnerability.name", + "misp.vulnerability.description", + "mongodb.log.component", + "mongodb.log.context", + "mssql.log.origin", + "mysql.slowlog.query", + "mysql.slowlog.schema", + "mysql.slowlog.current_user", + "mysql.slowlog.last_errno", + "mysql.slowlog.killed", + "mysql.slowlog.log_slow_rate_type", + "mysql.slowlog.log_slow_rate_limit", + "mysql.slowlog.innodb.trx_id", + "nats.log.msg.type", + "nats.log.msg.subject", + "nats.log.msg.reply_to", + "nats.log.msg.error.message", + "nats.log.msg.queue_group", + "netflow.type", + "netflow.exporter.address", + "netflow.source_mac_address", + "netflow.post_destination_mac_address", + "netflow.destination_mac_address", + "netflow.post_source_mac_address", + "netflow.interface_name", + "netflow.interface_description", + "netflow.sampler_name", + "netflow.application_description", + "netflow.application_name", + "netflow.class_name", + "netflow.wlan_ssid", + "netflow.vr_fname", + "netflow.metro_evc_id", + "netflow.nat_pool_name", + "netflow.p2p_technology", + "netflow.tunnel_technology", + "netflow.encrypted_technology", + "netflow.observation_domain_name", + "netflow.selector_name", + "netflow.information_element_description", + "netflow.information_element_name", + "netflow.virtual_station_interface_name", + "netflow.virtual_station_name", + "netflow.sta_mac_address", + "netflow.wtp_mac_address", + "netflow.user_name", + "netflow.application_category_name", + "netflow.application_sub_category_name", + "netflow.application_group_name", + "netflow.dot1q_customer_source_mac_address", + "netflow.dot1q_customer_destination_mac_address", + "netflow.mib_context_name", + "netflow.mib_object_name", + "netflow.mib_object_description", + "netflow.mib_object_syntax", + "netflow.mib_module_name", + "netflow.mobile_imsi", + "netflow.mobile_msisdn", + "netflow.http_request_method", + "netflow.http_request_host", + "netflow.http_request_target", + "netflow.http_message_version", + "netflow.http_user_agent", + "netflow.http_content_type", + "netflow.http_reason_phrase", + "nginx.ingress_controller.upstream_address_list", + "nginx.ingress_controller.upstream.response.length_list", + "nginx.ingress_controller.upstream.response.time_list", + "nginx.ingress_controller.upstream.response.status_code_list", + "nginx.ingress_controller.upstream.name", + "nginx.ingress_controller.upstream.alternative_name", + "nginx.ingress_controller.http.request.id", + "oracle.database_audit.status", + "oracle.database_audit.session_id", + "oracle.database_audit.client.terminal", + "oracle.database_audit.client.address", + "oracle.database_audit.client.user", + "oracle.database_audit.database.user", + "oracle.database_audit.privilege", + "oracle.database_audit.entry.id", + "oracle.database_audit.database.host", + "oracle.database_audit.action", + "oracle.database_audit.action_number", + "oracle.database_audit.database.id", + "osquery.result.name", + "osquery.result.action", + "osquery.result.host_identifier", + "osquery.result.calendar_time", + "panw.panos.ruleset", + "panw.panos.source.zone", + "panw.panos.source.interface", + "panw.panos.destination.zone", + "panw.panos.destination.interface", + "panw.panos.endreason", + "panw.panos.network.pcap_id", + "panw.panos.network.nat.community_id", + "panw.panos.file.hash", + "panw.panos.url.category", + "panw.panos.flow_id", + "panw.panos.threat.resource", + "panw.panos.threat.id", + "panw.panos.threat.name", + "panw.panos.action", + "panw.panos.type", + "panw.panos.sub_type", + "postgresql.log.timestamp", + "postgresql.log.client_addr", + "postgresql.log.client_port", + "postgresql.log.session_id", + "postgresql.log.database", + "postgresql.log.query", + "postgresql.log.query_step", + "postgresql.log.query_name", + "postgresql.log.command_tag", + "postgresql.log.virtual_transaction_id", + "postgresql.log.sql_state_code", + "postgresql.log.detail", + "postgresql.log.hint", + "postgresql.log.internal_query", + "postgresql.log.context", + "postgresql.log.location", + "postgresql.log.application_name", + "postgresql.log.backend_type", + "rabbitmq.log.pid", + "redis.log.role", + "redis.slowlog.cmd", + "redis.slowlog.key", + "redis.slowlog.args", + "santa.action", + "santa.decision", + "santa.reason", + "santa.mode", + "santa.disk.volume", + "santa.disk.bus", + "santa.disk.serial", + "santa.disk.bsdname", + "santa.disk.model", + "santa.disk.fs", + "santa.disk.mount", + "santa.certificate.common_name", + "santa.certificate.sha256", + "snyk.related.projects", + "snyk.audit.org_id", + "snyk.audit.project_id", + "snyk.vulnerabilities.cvss3", + "snyk.vulnerabilities.exploit_maturity", + "snyk.vulnerabilities.id", + "snyk.vulnerabilities.language", + "snyk.vulnerabilities.package", + "snyk.vulnerabilities.package_manager", + "snyk.vulnerabilities.jira_issue_url", + "snyk.vulnerabilities.reachability", + "snyk.vulnerabilities.title", + "snyk.vulnerabilities.type", + "snyk.vulnerabilities.unique_severities_list", + "snyk.vulnerabilities.version", + "snyk.vulnerabilities.credit", + "snyk.vulnerabilities.identifiers.alternative", + "snyk.vulnerabilities.identifiers.cwe", + "suricata.eve.event_type", + "suricata.eve.app_proto_orig", + "suricata.eve.tcp.tcp_flags", + "suricata.eve.tcp.tcp_flags_tc", + "suricata.eve.tcp.state", + "suricata.eve.tcp.tcp_flags_ts", + "suricata.eve.fileinfo.sha1", + "suricata.eve.fileinfo.state", + "suricata.eve.fileinfo.sha256", + "suricata.eve.fileinfo.md5", + "suricata.eve.dns.type", + "suricata.eve.dns.rrtype", + "suricata.eve.dns.rrname", + "suricata.eve.dns.rdata", + "suricata.eve.dns.rcode", + "suricata.eve.flow_id", + "suricata.eve.email.status", + "suricata.eve.http.redirect", + "suricata.eve.http.protocol", + "suricata.eve.http.http_content_type", + "suricata.eve.in_iface", + "suricata.eve.alert.category", + "suricata.eve.alert.signature", + "suricata.eve.alert.protocols", + "suricata.eve.alert.attack_target", + "suricata.eve.alert.capec_id", + "suricata.eve.alert.cwe_id", + "suricata.eve.alert.malware", + "suricata.eve.alert.cve", + "suricata.eve.alert.cvss_v2_base", + "suricata.eve.alert.cvss_v2_temporal", + "suricata.eve.alert.cvss_v3_base", + "suricata.eve.alert.cvss_v3_temporal", + "suricata.eve.alert.priority", + "suricata.eve.alert.hostile", + "suricata.eve.alert.infected", + "suricata.eve.alert.classtype", + "suricata.eve.alert.rule_source", + "suricata.eve.alert.sid", + "suricata.eve.alert.affected_product", + "suricata.eve.alert.deployment", + "suricata.eve.alert.former_category", + "suricata.eve.alert.mitre_tool_id", + "suricata.eve.alert.performance_impact", + "suricata.eve.alert.signature_severity", + "suricata.eve.alert.tag", + "suricata.eve.ssh.client.proto_version", + "suricata.eve.ssh.client.software_version", + "suricata.eve.ssh.server.proto_version", + "suricata.eve.ssh.server.software_version", + "suricata.eve.tls.issuerdn", + "suricata.eve.tls.sni", + "suricata.eve.tls.version", + "suricata.eve.tls.fingerprint", + "suricata.eve.tls.serial", + "suricata.eve.tls.subject", + "suricata.eve.app_proto_ts", + "suricata.eve.flow.state", + "suricata.eve.flow.reason", + "suricata.eve.app_proto_tc", + "suricata.eve.smtp.rcpt_to", + "suricata.eve.smtp.mail_from", + "suricata.eve.smtp.helo", + "suricata.eve.app_proto_expected", + "system.auth.ssh.method", + "system.auth.ssh.signature", + "system.auth.ssh.event", + "system.auth.sudo.error", + "system.auth.sudo.tty", + "system.auth.sudo.pwd", + "system.auth.sudo.user", + "system.auth.sudo.command", + "system.auth.useradd.home", + "system.auth.useradd.shell", + "traefik.access.user_identifier", + "traefik.access.frontend_name", + "traefik.access.backend_url", + "zeek.session_id", + "zeek.capture_loss.peer", + "zeek.dns.trans_id", + "zeek.dns.query", + "zeek.dns.qclass_name", + "zeek.dns.qtype_name", + "zeek.dns.rcode_name", + "zeek.dns.answers", + "zeek.files.fuid", + "zeek.files.session_ids", + "zeek.files.source", + "zeek.files.analyzers", + "zeek.files.mime_type", + "zeek.files.filename", + "zeek.files.parent_fuid", + "zeek.files.md5", + "zeek.files.sha1", + "zeek.files.sha256", + "zeek.files.extracted", + "zeek.http.status_msg", + "zeek.http.info_msg", + "zeek.http.tags", + "zeek.http.password", + "zeek.http.proxied", + "zeek.http.client_header_names", + "zeek.http.server_header_names", + "zeek.http.orig_fuids", + "zeek.http.orig_mime_types", + "zeek.http.orig_filenames", + "zeek.http.resp_fuids", + "zeek.http.resp_mime_types", + "zeek.http.resp_filenames", + "zeek.notice.connection_id", + "zeek.notice.icmp_id", + "zeek.notice.file.id", + "zeek.notice.file.parent_id", + "zeek.notice.file.source", + "zeek.notice.file.mime_type", + "zeek.notice.fuid", + "zeek.notice.note", + "zeek.notice.msg", + "zeek.notice.sub", + "zeek.notice.peer_name", + "zeek.notice.peer_descr", + "zeek.notice.actions", + "zeek.notice.email_body_sections", + "zeek.notice.email_delay_tokens", + "zeek.notice.identifier", + "zookeeper.audit.session", + "zookeeper.audit.znode", + "zookeeper.audit.znode_type", + "zookeeper.audit.acl", + "zookeeper.audit.result", + "zookeeper.audit.user", + "fields.*" + ] + }, "analysis": { "analyzer": { "es_security_analyzer": { @@ -65,6 +1038,15 @@ } } }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + }, { "port": { "path_match": "*.port", @@ -197,7 +1179,7 @@ "type":"keyword" }, "geoip":{ - "dynamic":true, + "dynamic":false, "properties":{ "ip":{ "type":"ip" @@ -214,7 +1196,7 @@ } }, "destination_geo":{ - "dynamic":true, + "dynamic":false, "properties":{ "ip":{ "type":"ip" @@ -231,7 +1213,7 @@ } }, "source_geo":{ - "dynamic":true, + "dynamic":false, "properties":{ "ip":{ "type":"ip" @@ -5625,7 +6607,8 @@ "dynamic": true }, "destination": { - "properties": { + "dynamic": false, + "properties": { "address": { "ignore_above": 1024, "type": "keyword" @@ -5679,6 +6662,15 @@ "ignore_above": 1024, "type": "keyword" }, + "ip":{ + "type":"ip" + }, + "latitude":{ + "type":"half_float" + }, + "longitude":{ + "type":"half_float" + }, "location": { "type": "geo_point" }, @@ -16895,10 +17887,20 @@ "type": "long" }, "pid": { - "type": "long" + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } }, "ppid": { - "type": "long" + "type": "long", + "fields": { + "keyword": { + "type": "keyword" + } + } }, "start": { "type": "date" @@ -18389,6 +19391,7 @@ } }, "source": { + "dynamic": false, "properties": { "address": { "ignore_above": 1024,