CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add custom analyzer definition to all SO/DTC mappings

Browse Source
This commit is contained in:
Wes Lambert
2022-03-02 14:43:19 +00:00
parent 27c8eaa630
commit ed620b93b7
25 changed files with 1406 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

456
salt/elasticsearch/templates/component/so/case-mappings.json
View File

@@ -1,213 +1,253 @@
{
"template": {
"mappings": {
"properties": {
"so_audit_doc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"so_related": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"fields": {
"eager_global_ordinals": false,
"ignore_above": 1024,
"index": true,
"type": "flattened",
"index_options": "docs",
"split_queries_on_whitespace": false,
"doc_values": true
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"@timestamp": {
"type": "date"
},
"so_artifactstream": {
"properties": {
"createTime": {
"type": "date"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"type": "text"
}
}
},
"so_comment": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"so_audit_doc_id": {
"ignore_above": 1024,
"type": "keyword"
},
"so_related": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"fields": {
"eager_global_ordinals": false,
"ignore_above": 1024,
"index": true,
"type": "flattened",
"index_options": "docs",
"split_queries_on_whitespace": false,
"doc_values": true
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"_meta": {
"ecs_version": "1.12.2"
"@timestamp": {
"type": "date"
},
"so_artifactstream": {
"properties": {
"createTime": {
"type": "date"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"type": "text"
}
}
},
"so_comment": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}

120
salt/elasticsearch/templates/component/so/case-settings.json
View File

@@ -1,65 +1,65 @@
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Cases indices"
}
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Cases indices"
}
}

142
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
View File

@@ -1,56 +1,96 @@
{
"template": {
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
]
}
}
}

120
salt/elasticsearch/templates/component/so/common-settings.json
View File

@@ -1,65 +1,65 @@
{
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
"template": {
"settings": {
"index": {
"routing": {
"allocation": {
"require": {
"box_type": "hot"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion indices"
}
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion indices"
}
}

50
salt/elasticsearch/templates/component/so/dtc-agent-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"agent": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -29,7 +69,7 @@
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"keyword": {
"type": "keyword"
}
}
@@ -42,7 +82,7 @@
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"keyword": {
"type": "keyword"
}
}
@@ -55,7 +95,7 @@
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"keyword": {
"type": "keyword"
}
}
@@ -68,7 +108,7 @@
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"keyword": {
"type": "keyword"
}
}

42
salt/elasticsearch/templates/component/so/dtc-base-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"message": {
@@ -26,7 +66,7 @@
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"keyword": {
"type": "keyword"
}
}

42
salt/elasticsearch/templates/component/so/dtc-dns-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"dns": {
@@ -16,7 +56,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"ecs": {
@@ -16,7 +56,7 @@
"type": "text",
"analyzer": "es_security_analyzer"
},
"keyword": {
"keyword": {
"type": "keyword"
}
}

56
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"event": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -26,7 +66,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -39,7 +79,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -51,7 +91,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -64,7 +104,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -77,7 +117,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -90,7 +130,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -103,7 +143,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"file": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -27,7 +67,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"host": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -27,7 +67,7 @@
"fields": {
"security": {
"type": "match_only_text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-http-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"http": {
@@ -16,7 +56,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -29,7 +69,7 @@
"fields": {
"text": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-network-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"network": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -27,7 +67,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-observer-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"observer": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-process-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"process": {
@@ -12,7 +52,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-rule-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"rule": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -27,7 +67,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-service-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"service": {
@@ -14,7 +54,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"
@@ -27,7 +67,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-user-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"user": {
@@ -12,7 +52,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"user_agent": {
@@ -12,7 +52,7 @@
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
"analyzer": "es_security_analyzer"
},
"keyword": {
"type": "keyword"

138
salt/elasticsearch/templates/component/so/endgame-mappings.json
View File

@@ -1,53 +1,93 @@
{
"template": {
"mappings": {
"properties": {
"endgame": {
"dynamic": false,
"properties": {
"data": {
"properties": {
"malware_classification": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
{
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"_meta": {
"ecs_version": "1.12.2"
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"endgame": {
"dynamic": false,
"properties": {
"data": {
"properties": {
"malware_classification": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
}

40
salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"destination": {

41
salt/elasticsearch/templates/component/so/pb-override-source-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"source": {
@@ -30,4 +70,3 @@
}
}
}

42
salt/elasticsearch/templates/component/so/so-file-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"file": {
@@ -15,7 +55,7 @@
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
"type": "keyword"
}
}
}

54
salt/elasticsearch/templates/component/so/so-rule-mappings.json
View File

@@ -4,15 +4,55 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"rule":{
"properties":{
"score":{
"type":"long"
}
}
}
"rule": {
"properties": {
"score": {
"type": "long"
}
}
}
}
}
}

76
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -4,27 +4,67 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"scan":{
"type":"object",
"properties":{
"exiftool":{
"type":"text"
},
"pe":{
"properties":{
"sections":{
"properties":{
"entropy":{
"scan": {
"type": "object",
"properties": {
"exiftool": {
"type": "text"
},
"pe": {
"properties": {
"sections": {
"properties": {
"entropy": {
"type": "float"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}