diff --git a/salt/elasticsearch/templates/component/so/case-mappings.json b/salt/elasticsearch/templates/component/so/case-mappings.json index aef586459..5137b6c3a 100644 --- a/salt/elasticsearch/templates/component/so/case-mappings.json +++ b/salt/elasticsearch/templates/component/so/case-mappings.json @@ -1,213 +1,253 @@ - { - "template": { - "mappings": { - "properties": { - "so_audit_doc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "so_related": { - "properties": { - "createTime": { - "type": "date" - }, - "caseId": { - "ignore_above": 1024, - "type": "keyword" - }, - "fields": { - "eager_global_ordinals": false, - "ignore_above": 1024, - "index": true, - "type": "flattened", - "index_options": "docs", - "split_queries_on_whitespace": false, - "doc_values": true - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "so_artifactstream": { - "properties": { - "createTime": { - "type": "date" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - }, - "content": { - "type": "text" - } - } - }, - "so_comment": { - "properties": { - "createTime": { - "type": "date" - }, - "caseId": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "type": "text" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "so_kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "so_operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "so_case": { - "properties": { - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "template": { - "ignore_above": 1024, - "type": "keyword" - }, - "completeTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "priority": { - "type": "long" - }, - "title": { - "type": "text" - }, - "assigneeId": { - "ignore_above": 1024, - "type": "keyword" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "createTime": { - "type": "date" - }, - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "startTime": { - "type": "date" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "pap": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "so_artifact": { - "properties": { - "artifactType": { - "ignore_above": 1024, - "type": "keyword" - }, - "groupType": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "streamId": { - "ignore_above": 1024, - "type": "keyword" - }, - "groupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "streamLength": { - "type": "long" - }, - "description": { - "type": "text" - }, - "mimeType": { - "ignore_above": 1024, - "type": "keyword" - }, - "userId": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "createTime": { - "type": "date" - }, - "caseId": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "ioc": { - "type": "boolean" - }, - "value": { - "type": "text", - "fields": { - "keyword": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - } - } - } +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, + "mappings": { + "properties": { + "so_audit_doc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_related": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "eager_global_ordinals": false, + "ignore_above": 1024, + "index": true, + "type": "flattened", + "index_options": "docs", + "split_queries_on_whitespace": false, + "doc_values": true + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" } } }, - "_meta": { - "ecs_version": "1.12.2" + "@timestamp": { + "type": "date" + }, + "so_artifactstream": { + "properties": { + "createTime": { + "type": "date" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "type": "text" + } + } + }, + "so_comment": { + "properties": { + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "text" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "so_case": { + "properties": { + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "template": { + "ignore_above": 1024, + "type": "keyword" + }, + "completeTime": { + "type": "date" + }, + "description": { + "type": "text" + }, + "priority": { + "type": "long" + }, + "title": { + "type": "text" + }, + "assigneeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "pap": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "so_artifact": { + "properties": { + "artifactType": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamId": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "streamLength": { + "type": "long" + }, + "description": { + "type": "text" + }, + "mimeType": { + "ignore_above": 1024, + "type": "keyword" + }, + "userId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "createTime": { + "type": "date" + }, + "caseId": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "type": "boolean" + }, + "value": { + "type": "text", + "fields": { + "keyword": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + } + } } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } } diff --git a/salt/elasticsearch/templates/component/so/case-settings.json b/salt/elasticsearch/templates/component/so/case-settings.json index 3a4429926..46c3cdeb9 100644 --- a/salt/elasticsearch/templates/component/so/case-settings.json +++ b/salt/elasticsearch/templates/component/so/case-settings.json @@ -1,65 +1,65 @@ { - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "require": { - "box_type": "hot" - } - } - }, - "mapping": { - "total_fields": { - "limit": "3000" - } - }, - "refresh_interval": "30s", - "analysis": { - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": "true", - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "char_filter": { - "whitespace_no_way": { - "pattern": "(\\s)+", - "type": "pattern_replace", - "replacement": "$1" - } - }, - "analyzer": { - "es_security_analyzer": { - "filter": [ - "lowercase", - "trim" - ], - "char_filter": [ - "whitespace_no_way" - ], - "type": "custom", - "tokenizer": "keyword" - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "number_of_shards": "1", - "number_of_replicas": "0" + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" } } }, - "version": 1, - "_meta": { - "description": "default settings for common Security Onion Cases indices" - } + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion Cases indices" + } } diff --git a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json index 7ae4ae86c..bb072133a 100644 --- a/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json +++ b/salt/elasticsearch/templates/component/so/common-dynamic-mappings.json @@ -1,56 +1,96 @@ { - "template": { - "mappings": { - "dynamic_templates": [ - { - "ip_address": { - "path_match": "*.ip", - "mapping": { - "type": "ip", - "fields": { - "keyword": { - "ignore_above": 45, - "type": "keyword" - } - } - }, - "match_mapping_type": "string" - } - }, - { - "port": { - "path_match": "*.port", - "path_unmatch": "*.data.port", - "mapping": { - "type": "integer", - "fields": { - "keyword": { - "ignore_above": 6, - "type": "keyword" - } - } - } - } - }, - { - "strings": { - "mapping": { - "type": "text", - "fields": { - "security": { - "analyzer": "es_security_analyzer", - "type": "text" - }, - "keyword": { - "ignore_above": 32765, - "type": "keyword" - } - } - }, - "match_mapping_type": "string" - } - } + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" ] } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } } + } + }, + "mappings": { + "dynamic_templates": [ + { + "ip_address": { + "path_match": "*.ip", + "mapping": { + "type": "ip", + "fields": { + "keyword": { + "ignore_above": 45, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + }, + { + "port": { + "path_match": "*.port", + "path_unmatch": "*.data.port", + "mapping": { + "type": "integer", + "fields": { + "keyword": { + "ignore_above": 6, + "type": "keyword" + } + } + } + } + }, + { + "strings": { + "mapping": { + "type": "text", + "fields": { + "security": { + "analyzer": "es_security_analyzer", + "type": "text" + }, + "keyword": { + "ignore_above": 32765, + "type": "keyword" + } + } + }, + "match_mapping_type": "string" + } + } + ] + } + } } diff --git a/salt/elasticsearch/templates/component/so/common-settings.json b/salt/elasticsearch/templates/component/so/common-settings.json index 729ba3388..7d60192c3 100644 --- a/salt/elasticsearch/templates/component/so/common-settings.json +++ b/salt/elasticsearch/templates/component/so/common-settings.json @@ -1,65 +1,65 @@ { - "template": { - "settings": { - "index": { - "routing": { - "allocation": { - "require": { - "box_type": "hot" - } - } - }, - "mapping": { - "total_fields": { - "limit": "3000" - } - }, - "refresh_interval": "30s", - "analysis": { - "filter": { - "path_hierarchy_pattern_filter": { - "type": "pattern_capture", - "preserve_original": "true", - "patterns": [ - "((?:[^\\\\]*\\\\)*)(.*)", - "((?:[^/]*/)*)(.*)" - ] - } - }, - "char_filter": { - "whitespace_no_way": { - "pattern": "(\\s)+", - "type": "pattern_replace", - "replacement": "$1" - } - }, - "analyzer": { - "es_security_analyzer": { - "filter": [ - "lowercase", - "trim" - ], - "char_filter": [ - "whitespace_no_way" - ], - "type": "custom", - "tokenizer": "keyword" - } - }, - "tokenizer": { - "path_tokenizer": { - "type": "path_hierarchy", - "delimiter": "\\" - } - } - }, - "number_of_shards": "1", - "number_of_replicas": "0" + "template": { + "settings": { + "index": { + "routing": { + "allocation": { + "require": { + "box_type": "hot" } } }, - "version": 1, - "_meta": { - "description": "default settings for common Security Onion indices" - } + "mapping": { + "total_fields": { + "limit": "3000" + } + }, + "refresh_interval": "30s", + "analysis": { + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": "true", + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "char_filter": { + "whitespace_no_way": { + "pattern": "(\\s)+", + "type": "pattern_replace", + "replacement": "$1" + } + }, + "analyzer": { + "es_security_analyzer": { + "filter": [ + "lowercase", + "trim" + ], + "char_filter": [ + "whitespace_no_way" + ], + "type": "custom", + "tokenizer": "keyword" + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + }, + "number_of_shards": "1", + "number_of_replicas": "0" + } + } + }, + "version": 1, + "_meta": { + "description": "default settings for common Security Onion indices" + } } diff --git a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json index 41072387a..871bdcc05 100644 --- a/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-agent-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "agent": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -29,7 +69,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -42,7 +82,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -55,7 +95,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } @@ -68,7 +108,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json index 8211dc2e2..0bc940e66 100644 --- a/salt/elasticsearch/templates/component/so/dtc-base-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-base-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "message": { @@ -26,7 +66,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json index c4be8249e..56a529bf2 100644 --- a/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-dns-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "dns": { @@ -16,7 +56,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json index de012d3fd..549385123 100644 --- a/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "ecs": { @@ -16,7 +56,7 @@ "type": "text", "analyzer": "es_security_analyzer" }, - "keyword": { + "keyword": { "type": "keyword" } } diff --git a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json index dfb7f3467..a64a30a26 100644 --- a/salt/elasticsearch/templates/component/so/dtc-event-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-event-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "event": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -26,7 +66,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -39,7 +79,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -51,7 +91,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -64,7 +104,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -77,7 +117,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -90,7 +130,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -103,7 +143,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json index cd0edcda8..c58ae77ab 100644 --- a/salt/elasticsearch/templates/component/so/dtc-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-file-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "file": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json index 599ad55c3..b7645acdf 100644 --- a/salt/elasticsearch/templates/component/so/dtc-host-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-host-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "host": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "match_only_text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json index 8e705c260..05c9681ce 100644 --- a/salt/elasticsearch/templates/component/so/dtc-http-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-http-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "http": { @@ -16,7 +56,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -29,7 +69,7 @@ "fields": { "text": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json index 755426356..daa1521c5 100644 --- a/salt/elasticsearch/templates/component/so/dtc-network-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-network-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "network": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json index 1b6219cc7..be1c05510 100644 --- a/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-observer-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "observer": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json index 8160f70c3..a70df5c77 100644 --- a/salt/elasticsearch/templates/component/so/dtc-process-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-process-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "process": { @@ -12,7 +52,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json index 2e9b4de16..797f51a86 100644 --- a/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-rule-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "rule": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json index d5f30f602..0e82f6698 100644 --- a/salt/elasticsearch/templates/component/so/dtc-service-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-service-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "service": { @@ -14,7 +54,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" @@ -27,7 +67,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json index 1e51822ee..d0162d675 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "user": { @@ -12,7 +52,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json index a7d9c610e..ec5a58e3a 100644 --- a/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json +++ b/salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "user_agent": { @@ -12,7 +52,7 @@ "fields": { "security": { "type": "text", - "analyzer": "es_security_analyzer" + "analyzer": "es_security_analyzer" }, "keyword": { "type": "keyword" diff --git a/salt/elasticsearch/templates/component/so/endgame-mappings.json b/salt/elasticsearch/templates/component/so/endgame-mappings.json index d32fb962d..6a8adfa5d 100644 --- a/salt/elasticsearch/templates/component/so/endgame-mappings.json +++ b/salt/elasticsearch/templates/component/so/endgame-mappings.json @@ -1,53 +1,93 @@ - { - "template": { - "mappings": { - "properties": { - "endgame": { - "dynamic": false, - "properties": { - "data": { - "properties": { - "malware_classification": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "quarantine_result": { - "properties": { - "local_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "event_subtype_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type_full": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - } - } +{ + "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" } }, - "_meta": { - "ecs_version": "1.12.2" + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } } + } + }, + "mappings": { + "properties": { + "endgame": { + "dynamic": false, + "properties": { + "data": { + "properties": { + "malware_classification": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "quarantine_result": { + "properties": { + "local_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "event_subtype_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type_full": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + } + } + } + }, + "_meta": { + "ecs_version": "1.12.2" + } } diff --git a/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json b/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json index 8e3ab45f3..68f69500d 100644 --- a/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json +++ b/salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "destination": { diff --git a/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json b/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json index 55f105b8c..947daf0b7 100644 --- a/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json +++ b/salt/elasticsearch/templates/component/so/pb-override-source-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "source": { @@ -30,4 +70,3 @@ } } } - diff --git a/salt/elasticsearch/templates/component/so/so-file-mappings.json b/salt/elasticsearch/templates/component/so/so-file-mappings.json index 1b87b0915..3f1188234 100644 --- a/salt/elasticsearch/templates/component/so/so-file-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-file-mappings.json @@ -4,6 +4,46 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { "file": { @@ -15,7 +55,7 @@ "type": "keyword", "fields": { "keyword": { - "type": "keyword" + "type": "keyword" } } } diff --git a/salt/elasticsearch/templates/component/so/so-rule-mappings.json b/salt/elasticsearch/templates/component/so/so-rule-mappings.json index 00cea1bfe..3e792f17b 100644 --- a/salt/elasticsearch/templates/component/so/so-rule-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-rule-mappings.json @@ -4,15 +4,55 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { - "rule":{ - "properties":{ - "score":{ - "type":"long" - } - } - } + "rule": { + "properties": { + "score": { + "type": "long" + } + } + } } } } diff --git a/salt/elasticsearch/templates/component/so/so-scan-mappings.json b/salt/elasticsearch/templates/component/so/so-scan-mappings.json index 00d10f73b..23e6142fc 100644 --- a/salt/elasticsearch/templates/component/so/so-scan-mappings.json +++ b/salt/elasticsearch/templates/component/so/so-scan-mappings.json @@ -4,27 +4,67 @@ "ecs_version": "1.12.2" }, "template": { + "settings": { + "analysis": { + "analyzer": { + "es_security_analyzer": { + "type": "custom", + "char_filter": [ + "whitespace_no_way" + ], + "filter": [ + "lowercase", + "trim" + ], + "tokenizer": "keyword" + } + }, + "char_filter": { + "whitespace_no_way": { + "type": "pattern_replace", + "pattern": "(\\s)+", + "replacement": "$1" + } + }, + "filter": { + "path_hierarchy_pattern_filter": { + "type": "pattern_capture", + "preserve_original": true, + "patterns": [ + "((?:[^\\\\]*\\\\)*)(.*)", + "((?:[^/]*/)*)(.*)" + ] + } + }, + "tokenizer": { + "path_tokenizer": { + "type": "path_hierarchy", + "delimiter": "\\" + } + } + } + }, "mappings": { "properties": { - "scan":{ - "type":"object", - "properties":{ - "exiftool":{ - "type":"text" - }, - "pe":{ - "properties":{ - "sections":{ - "properties":{ - "entropy":{ + "scan": { + "type": "object", + "properties": { + "exiftool": { + "type": "text" + }, + "pe": { + "properties": { + "sections": { + "properties": { + "entropy": { "type": "float" - } - } - } - } - } - } - } + } + } + } + } + } + } + } } } }