Fix EG template and mappings

2025-12-06 17:22:49 +01:00 · 2022-02-04 16:00:16 +00:00
parent 1af63edc6b
commit f3902cf77d
2 changed files with 56 additions and 2 deletions
--- a/salt/elasticsearch/templates/component/so/endgame-mappings.json
+++ b/salt/elasticsearch/templates/component/so/endgame-mappings.json
@@ -0,0 +1,53 @@
+    {
+        "template": {
+          "mappings": {
+            "properties": {
+              "endgame": {
+        	"dynamic": false,
+                "properties": {
+                  "data": {
+                    "properties": {
+              	      "malware_classification": {
+                        "properties": {
+                  	  "identifier": {
+                    	    "ignore_above": 1024,
+                    	    "type": "keyword"
+                          }
+                        }
+              	      },
+                      "quarantine_result": {
+                        "properties": {
+                          "local_msg": {
+                            "ignore_above": 1024,
+                            "type": "keyword"
+                  	  }
+                        }
+                      }
+            	    }
+          	  },
+          	  "event_subtype_full": {
+            	    "ignore_above": 1024,
+            	    "type": "keyword"
+          	  },
+          	  "event_type_full": {
+            	    "ignore_above": 1024,
+            	    "type": "keyword"
+          	  },
+          	  "metadata": {
+            	    "properties": {
+              	      "type": {
+                        "ignore_above": 1024,
+                	"type": "keyword"
+              	      }
+                    }
+          	  }
+        	},
+        	"type": "object"
+              }
+            }
+          }
+        },
+        "_meta": {
+          "ecs_version": "1.12.2"
+        }
+}
--- a/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja
+++ b/salt/elasticsearch/templates/index/so/so-endgame-template.json.jinja
@@ -6,7 +6,7 @@
 {%- set FIELD_LIMIT = salt['pillar.get']('elasticsearch:index_settings:so-endgame:field_limit', 3000) %}
 {
        "index_patterns": [
-          "so-endgame*"
+          "endgame*"
        ],
        "template": {
          "mappings": {
@@ -55,7 +55,8 @@
          "dtc-dns-mappings",
          "ecs-mappings",
          "dtc-ecs-mappings",
-          "error-mappings",
+          "endgame-mappings",
+	  "error-mappings",
          "event-mappings",
          "dtc-event-mappings",
          "dtc-file-mappings",