CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add custom analyzer definition to all SO/DTC mappings

Browse Source
This commit is contained in:
Wes Lambert
2022-03-02 14:43:19 +00:00
parent 27c8eaa630
commit ed620b93b7
25 changed files with 1406 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

456
salt/elasticsearch/templates/component/so/case-mappings.json
View File

@@ -1,213 +1,253 @@
{ {
"template": { "template": {
"mappings": { "settings": {
"properties": { "analysis": {
"so_audit_doc_id": { "analyzer": {
"ignore_above": 1024, "es_security_analyzer": {
"type": "keyword" "type": "custom",
}, "char_filter": [
"so_related": { "whitespace_no_way"
"properties": { ],
"createTime": { "filter": [
"type": "date" "lowercase",
}, "trim"
"caseId": { ],
"ignore_above": 1024, "tokenizer": "keyword"
"type": "keyword" }
}, },
"fields": { "char_filter": {
"eager_global_ordinals": false, "whitespace_no_way": {
"ignore_above": 1024, "type": "pattern_replace",
"index": true, "pattern": "(\\s)+",
"type": "flattened", "replacement": "$1"
"index_options": "docs", }
"split_queries_on_whitespace": false, },
"doc_values": true "filter": {
}, "path_hierarchy_pattern_filter": {
"userId": { "type": "pattern_capture",
"ignore_above": 1024, "preserve_original": true,
"type": "keyword" "patterns": [
} "((?:[^\\\\]*\\\\)*)(.*)",
} "((?:[^/]*/)*)(.*)"
}, ]
"@timestamp": { }
"type": "date" },
}, "tokenizer": {
"so_artifactstream": { "path_tokenizer": {
"properties": { "type": "path_hierarchy",
"createTime": { "delimiter": "\\"
"type": "date" }
}, }
"userId": { }
"ignore_above": 1024, },
"type": "keyword" "mappings": {
}, "properties": {
"content": { "so_audit_doc_id": {
"type": "text" "ignore_above": 1024,
} "type": "keyword"
} },
}, "so_related": {
"so_comment": { "properties": {
"properties": { "createTime": {
"createTime": { "type": "date"
"type": "date" },
}, "caseId": {
"caseId": { "ignore_above": 1024,
"ignore_above": 1024, "type": "keyword"
"type": "keyword" },
}, "fields": {
"description": { "eager_global_ordinals": false,
"type": "text" "ignore_above": 1024,
}, "index": true,
"userId": { "type": "flattened",
"ignore_above": 1024, "index_options": "docs",
"type": "keyword" "split_queries_on_whitespace": false,
} "doc_values": true
} },
}, "userId": {
"so_kind": { "ignore_above": 1024,
"ignore_above": 1024, "type": "keyword"
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
} }
} }
}, },
"_meta": { "@timestamp": {
"ecs_version": "1.12.2" "type": "date"
},
"so_artifactstream": {
"properties": {
"createTime": {
"type": "date"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"content": {
"type": "text"
}
}
},
"so_comment": {
"properties": {
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"type": "text"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_kind": {
"ignore_above": 1024,
"type": "keyword"
},
"so_operation": {
"ignore_above": 1024,
"type": "keyword"
},
"so_case": {
"properties": {
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"template": {
"ignore_above": 1024,
"type": "keyword"
},
"completeTime": {
"type": "date"
},
"description": {
"type": "text"
},
"priority": {
"type": "long"
},
"title": {
"type": "text"
},
"assigneeId": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"startTime": {
"type": "date"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"pap": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"so_artifact": {
"properties": {
"artifactType": {
"ignore_above": 1024,
"type": "keyword"
},
"groupType": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"streamId": {
"ignore_above": 1024,
"type": "keyword"
},
"groupId": {
"ignore_above": 1024,
"type": "keyword"
},
"streamLength": {
"type": "long"
},
"description": {
"type": "text"
},
"mimeType": {
"ignore_above": 1024,
"type": "keyword"
},
"userId": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"createTime": {
"type": "date"
},
"caseId": {
"ignore_above": 1024,
"type": "keyword"
},
"tlp": {
"ignore_above": 1024,
"type": "keyword"
},
"ioc": {
"type": "boolean"
},
"value": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
} }
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
} }

120
salt/elasticsearch/templates/component/so/case-settings.json
View File

@@ -1,65 +1,65 @@
{ {
"template": { "template": {
"settings": { "settings": {
"index": { "index": {
"routing": { "routing": {
"allocation": { "allocation": {
"require": { "require": {
"box_type": "hot" "box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
} }
} }
}, },
"version": 1, "mapping": {
"_meta": { "total_fields": {
"description": "default settings for common Security Onion Cases indices" "limit": "3000"
} }
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion Cases indices"
}
} }

142
salt/elasticsearch/templates/component/so/common-dynamic-mappings.json
View File

@@ -1,56 +1,96 @@
{ {
"template": { "template": {
"mappings": { "settings": {
"dynamic_templates": [ "analysis": {
{ "analyzer": {
"ip_address": { "es_security_analyzer": {
"path_match": "*.ip", "type": "custom",
"mapping": { "char_filter": [
"type": "ip", "whitespace_no_way"
"fields": { ],
"keyword": { "filter": [
"ignore_above": 45, "lowercase",
"type": "keyword" "trim"
} ],
} "tokenizer": "keyword"
}, }
"match_mapping_type": "string" },
} "char_filter": {
}, "whitespace_no_way": {
{ "type": "pattern_replace",
"port": { "pattern": "(\\s)+",
"path_match": "*.port", "replacement": "$1"
"path_unmatch": "*.data.port", }
"mapping": { },
"type": "integer", "filter": {
"fields": { "path_hierarchy_pattern_filter": {
"keyword": { "type": "pattern_capture",
"ignore_above": 6, "preserve_original": true,
"type": "keyword" "patterns": [
} "((?:[^\\\\]*\\\\)*)(.*)",
} "((?:[^/]*/)*)(.*)"
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
] ]
} }
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
} }
}
},
"mappings": {
"dynamic_templates": [
{
"ip_address": {
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields": {
"keyword": {
"ignore_above": 45,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields": {
"keyword": {
"ignore_above": 6,
"type": "keyword"
}
}
}
}
},
{
"strings": {
"mapping": {
"type": "text",
"fields": {
"security": {
"analyzer": "es_security_analyzer",
"type": "text"
},
"keyword": {
"ignore_above": 32765,
"type": "keyword"
}
}
},
"match_mapping_type": "string"
}
}
]
}
}
} }

120
salt/elasticsearch/templates/component/so/common-settings.json
View File

@@ -1,65 +1,65 @@
{ {
"template": { "template": {
"settings": { "settings": {
"index": { "index": {
"routing": { "routing": {
"allocation": { "allocation": {
"require": { "require": {
"box_type": "hot" "box_type": "hot"
}
}
},
"mapping": {
"total_fields": {
"limit": "3000"
}
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
} }
} }
}, },
"version": 1, "mapping": {
"_meta": { "total_fields": {
"description": "default settings for common Security Onion indices" "limit": "3000"
} }
},
"refresh_interval": "30s",
"analysis": {
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": "true",
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"char_filter": {
"whitespace_no_way": {
"pattern": "(\\s)+",
"type": "pattern_replace",
"replacement": "$1"
}
},
"analyzer": {
"es_security_analyzer": {
"filter": [
"lowercase",
"trim"
],
"char_filter": [
"whitespace_no_way"
],
"type": "custom",
"tokenizer": "keyword"
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
},
"number_of_shards": "1",
"number_of_replicas": "0"
}
}
},
"version": 1,
"_meta": {
"description": "default settings for common Security Onion indices"
}
} }

50
salt/elasticsearch/templates/component/so/dtc-agent-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"agent": { "agent": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -29,7 +69,7 @@
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }
@@ -42,7 +82,7 @@
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }
@@ -55,7 +95,7 @@
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }
@@ -68,7 +108,7 @@
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }

42
salt/elasticsearch/templates/component/so/dtc-base-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"message": { "message": {
@@ -26,7 +66,7 @@
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }

42
salt/elasticsearch/templates/component/so/dtc-dns-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"dns": { "dns": {
@@ -16,7 +56,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-ecs-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"ecs": { "ecs": {
@@ -16,7 +56,7 @@
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }

56
salt/elasticsearch/templates/component/so/dtc-event-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"event": { "event": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -26,7 +66,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -39,7 +79,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -51,7 +91,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -64,7 +104,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -77,7 +117,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -90,7 +130,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -103,7 +143,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-file-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -27,7 +67,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-host-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"host": { "host": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -27,7 +67,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "match_only_text", "type": "match_only_text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-http-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"http": { "http": {
@@ -16,7 +56,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -29,7 +69,7 @@
"fields": { "fields": {
"text": { "text": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-network-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"network": { "network": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -27,7 +67,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-observer-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"observer": { "observer": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-process-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"process": { "process": {
@@ -12,7 +52,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-rule-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"rule": { "rule": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -27,7 +67,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

44
salt/elasticsearch/templates/component/so/dtc-service-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"service": { "service": {
@@ -14,7 +54,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
@@ -27,7 +67,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-user-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user": { "user": {
@@ -12,7 +52,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

42
salt/elasticsearch/templates/component/so/dtc-user_agent-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"user_agent": { "user_agent": {
@@ -12,7 +52,7 @@
"fields": { "fields": {
"security": { "security": {
"type": "text", "type": "text",
"analyzer": "es_security_analyzer" "analyzer": "es_security_analyzer"
}, },
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"

138
salt/elasticsearch/templates/component/so/endgame-mappings.json
View File

@@ -1,53 +1,93 @@
{ {
"template": { "template": {
"mappings": { "settings": {
"properties": { "analysis": {
"endgame": { "analyzer": {
"dynamic": false, "es_security_analyzer": {
"properties": { "type": "custom",
"data": { "char_filter": [
"properties": { "whitespace_no_way"
"malware_classification": { ],
"properties": { "filter": [
"identifier": { "lowercase",
"ignore_above": 1024, "trim"
"type": "keyword" ],
} "tokenizer": "keyword"
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
} }
}, },
"_meta": { "char_filter": {
"ecs_version": "1.12.2" "whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
} }
}
},
"mappings": {
"properties": {
"endgame": {
"dynamic": false,
"properties": {
"data": {
"properties": {
"malware_classification": {
"properties": {
"identifier": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"quarantine_result": {
"properties": {
"local_msg": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event_subtype_full": {
"ignore_above": 1024,
"type": "keyword"
},
"event_type_full": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
},
"type": "object"
}
}
}
},
"_meta": {
"ecs_version": "1.12.2"
}
} }

40
salt/elasticsearch/templates/component/so/pb-override-destination-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"destination": { "destination": {

41
salt/elasticsearch/templates/component/so/pb-override-source-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"source": { "source": {
@@ -30,4 +70,3 @@
} }
} }
} }

42
salt/elasticsearch/templates/component/so/so-file-mappings.json
View File

@@ -4,6 +4,46 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"file": { "file": {
@@ -15,7 +55,7 @@
"type": "keyword", "type": "keyword",
"fields": { "fields": {
"keyword": { "keyword": {
"type": "keyword" "type": "keyword"
} }
} }
} }

54
salt/elasticsearch/templates/component/so/so-rule-mappings.json
View File

@@ -4,15 +4,55 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"rule":{ "rule": {
"properties":{ "properties": {
"score":{ "score": {
"type":"long" "type": "long"
} }
} }
} }
} }
} }
} }

76
salt/elasticsearch/templates/component/so/so-scan-mappings.json
View File

@@ -4,27 +4,67 @@
"ecs_version": "1.12.2" "ecs_version": "1.12.2"
}, },
"template": { "template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": { "mappings": {
"properties": { "properties": {
"scan":{ "scan": {
"type":"object", "type": "object",
"properties":{ "properties": {
"exiftool":{ "exiftool": {
"type":"text" "type": "text"
}, },
"pe":{ "pe": {
"properties":{ "properties": {
"sections":{ "sections": {
"properties":{ "properties": {
"entropy":{ "entropy": {
"type": "float" "type": "float"
} }
} }
} }
} }
} }
} }
} }
} }
} }
} }