CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add new templates

Browse Source
This commit is contained in:
Wes Lambert
2022-02-08 13:17:23 +00:00
parent 2951e12c96
commit f9a50d33c3
6 changed files with 4751 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
salt/elasticsearch/templates/component/ecs/elasticsearch.json Normal file
View File

@@ -0,0 +1,25 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"@timestamp": {
"type": "date"
},
"labels": {
"type": "object"
},
"message": {
"type": "match_only_text"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}

75
salt/elasticsearch/templates/component/ecs/kibana.json Normal file
View File

@@ -0,0 +1,75 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"kibana": {
"properties": {
"add_to_spaces": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_realm": {
"ignore_above": 1024,
"type": "keyword"
},
"authentication_type": {
"ignore_above": 1024,
"type": "keyword"
},
"delete_from_spaces": {
"ignore_above": 1024,
"type": "keyword"
},
"log": {
"properties": {
"meta": {
"type": "object"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"lookup_realm": {
"ignore_above": 1024,
"type": "keyword"
},
"saved_object": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword"
},
"space_id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
}

99
salt/elasticsearch/templates/component/ecs/logstash.json Normal file
View File

@@ -0,0 +1,99 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"logstash": {
"properties": {
"log": {
"properties": {
"log_event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
}
},
"type": "object"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"pipeline_id": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"slowlog": {
"properties": {
"event": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params_object": {
"type": "object"
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword"
},
"thread": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"took_in_millis": {
"type": "long"
}
}
}
}
}
}
}
}
}

1423
salt/elasticsearch/templates/component/ecs/netflow.json Normal file
View File

File diff suppressed because it is too large Load Diff

850
salt/elasticsearch/templates/component/ecs/suricata.json Normal file
View File

@@ -0,0 +1,850 @@
{
"_meta": {
"documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-base.html",
"ecs_version": "1.12.2"
},
"template": {
"mappings": {
"properties": {
"suricata": {
"properties": {
"eve": {
"properties": {
"alert": {
"properties": {
"affected_product": {
"ignore_above": 1024,
"type": "keyword"
},
"attack_target": {
"ignore_above": 1024,
"type": "keyword"
},
"capec_id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classtype": {
"ignore_above": 1024,
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cve": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v2_base": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v2_temporal": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v3_base": {
"ignore_above": 1024,
"type": "keyword"
},
"cvss_v3_temporal": {
"ignore_above": 1024,
"type": "keyword"
},
"cwe_id": {
"ignore_above": 1024,
"type": "keyword"
},
"deployment": {
"ignore_above": 1024,
"type": "keyword"
},
"former_category": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"type": "long"
},
"hostile": {
"ignore_above": 1024,
"type": "keyword"
},
"infected": {
"ignore_above": 1024,
"type": "keyword"
},
"malware": {
"ignore_above": 1024,
"type": "keyword"
},
"metadata": {
"type": "flattened"
},
"mitre_tool_id": {
"ignore_above": 1024,
"type": "keyword"
},
"performance_impact": {
"ignore_above": 1024,
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword"
},
"protocols": {
"ignore_above": 1024,
"type": "keyword"
},
"rev": {
"type": "long"
},
"rule_source": {
"ignore_above": 1024,
"type": "keyword"
},
"sid": {
"ignore_above": 1024,
"type": "keyword"
},
"signature": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_id": {
"type": "long"
},
"signature_severity": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
},
"updated_at": {
"type": "date"
}
}
},
"app_proto_expected": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_orig": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_tc": {
"ignore_above": 1024,
"type": "keyword"
},
"app_proto_ts": {
"ignore_above": 1024,
"type": "keyword"
},
"dns": {
"properties": {
"id": {
"type": "long"
},
"rcode": {
"ignore_above": 1024,
"type": "keyword"
},
"rdata": {
"ignore_above": 1024,
"type": "keyword"
},
"rrname": {
"ignore_above": 1024,
"type": "keyword"
},
"rrtype": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
},
"tx_id": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"email": {
"properties": {
"status": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword"
},
"fileinfo": {
"properties": {
"gaps": {
"type": "boolean"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"stored": {
"type": "boolean"
},
"tx_id": {
"type": "long"
}
}
},
"flow": {
"properties": {
"age": {
"type": "long"
},
"alerted": {
"type": "boolean"
},
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"flow_id": {
"ignore_above": 1024,
"type": "keyword"
},
"http": {
"properties": {
"http_content_type": {
"ignore_above": 1024,
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"redirect": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"icmp_code": {
"type": "long"
},
"icmp_type": {
"type": "long"
},
"in_iface": {
"ignore_above": 1024,
"type": "keyword"
},
"pcap_cnt": {
"type": "long"
},
"smtp": {
"properties": {
"helo": {
"ignore_above": 1024,
"type": "keyword"
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword"
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ssh": {
"properties": {
"client": {
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"server": {
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"stats": {
"properties": {
"app_layer": {
"properties": {
"flow": {
"properties": {
"dcerpc_tcp": {
"type": "long"
},
"dcerpc_udp": {
"type": "long"
},
"dns_tcp": {
"type": "long"
},
"dns_udp": {
"type": "long"
},
"failed_tcp": {
"type": "long"
},
"failed_udp": {
"type": "long"
},
"ftp": {
"type": "long"
},
"http": {
"type": "long"
},
"imap": {
"type": "long"
},
"msn": {
"type": "long"
},
"smb": {
"type": "long"
},
"smtp": {
"type": "long"
},
"ssh": {
"type": "long"
},
"tls": {
"type": "long"
}
}
},
"tx": {
"properties": {
"dcerpc_tcp": {
"type": "long"
},
"dcerpc_udp": {
"type": "long"
},
"dns_tcp": {
"type": "long"
},
"dns_udp": {
"type": "long"
},
"ftp": {
"type": "long"
},
"http": {
"type": "long"
},
"smb": {
"type": "long"
},
"smtp": {
"type": "long"
},
"ssh": {
"type": "long"
},
"tls": {
"type": "long"
}
}
}
}
},
"capture": {
"properties": {
"kernel_drops": {
"type": "long"
},
"kernel_ifdrops": {
"type": "long"
},
"kernel_packets": {
"type": "long"
}
}
},
"decoder": {
"properties": {
"avg_pkt_size": {
"type": "long"
},
"bytes": {
"type": "long"
},
"dce": {
"properties": {
"pkt_too_small": {
"type": "long"
}
}
},
"erspan": {
"type": "long"
},
"ethernet": {
"type": "long"
},
"gre": {
"type": "long"
},
"icmpv4": {
"type": "long"
},
"icmpv6": {
"type": "long"
},
"ieee8021ah": {
"type": "long"
},
"invalid": {
"type": "long"
},
"ipraw": {
"properties": {
"invalid_ip_version": {
"type": "long"
}
}
},
"ipv4": {
"type": "long"
},
"ipv4_in_ipv6": {
"type": "long"
},
"ipv6": {
"type": "long"
},
"ipv6_in_ipv6": {
"type": "long"
},
"ltnull": {
"properties": {
"pkt_too_small": {
"type": "long"
},
"unsupported_type": {
"type": "long"
}
}
},
"max_pkt_size": {
"type": "long"
},
"mpls": {
"type": "long"
},
"null": {
"type": "long"
},
"pkts": {
"type": "long"
},
"ppp": {
"type": "long"
},
"pppoe": {
"type": "long"
},
"raw": {
"type": "long"
},
"sctp": {
"type": "long"
},
"sll": {
"type": "long"
},
"tcp": {
"type": "long"
},
"teredo": {
"type": "long"
},
"udp": {
"type": "long"
},
"vlan": {
"type": "long"
},
"vlan_qinq": {
"type": "long"
}
}
},
"defrag": {
"properties": {
"ipv4": {
"properties": {
"fragments": {
"type": "long"
},
"reassembled": {
"type": "long"
},
"timeouts": {
"type": "long"
}
}
},
"ipv6": {
"properties": {
"fragments": {
"type": "long"
},
"reassembled": {
"type": "long"
},
"timeouts": {
"type": "long"
}
}
},
"max_frag_hits": {
"type": "long"
}
}
},
"detect": {
"properties": {
"alert": {
"type": "long"
}
}
},
"dns": {
"properties": {
"memcap_global": {
"type": "long"
},
"memcap_state": {
"type": "long"
},
"memuse": {
"type": "long"
}
}
},
"file_store": {
"properties": {
"open_files": {
"type": "long"
}
}
},
"flow": {
"properties": {
"emerg_mode_entered": {
"type": "long"
},
"emerg_mode_over": {
"type": "long"
},
"icmpv4": {
"type": "long"
},
"icmpv6": {
"type": "long"
},
"memcap": {
"type": "long"
},
"memuse": {
"type": "long"
},
"spare": {
"type": "long"
},
"tcp": {
"type": "long"
},
"tcp_reuse": {
"type": "long"
},
"udp": {
"type": "long"
}
}
},
"flow_mgr": {
"properties": {
"bypassed_pruned": {
"type": "long"
},
"closed_pruned": {
"type": "long"
},
"est_pruned": {
"type": "long"
},
"flows_checked": {
"type": "long"
},
"flows_notimeout": {
"type": "long"
},
"flows_removed": {
"type": "long"
},
"flows_timeout": {
"type": "long"
},
"flows_timeout_inuse": {
"type": "long"
},
"new_pruned": {
"type": "long"
},
"rows_busy": {
"type": "long"
},
"rows_checked": {
"type": "long"
},
"rows_empty": {
"type": "long"
},
"rows_maxlen": {
"type": "long"
},
"rows_skipped": {
"type": "long"
}
}
},
"http": {
"properties": {
"memcap": {
"type": "long"
},
"memuse": {
"type": "long"
}
}
},
"tcp": {
"properties": {
"insert_data_normal_fail": {
"type": "long"
},
"insert_data_overlap_fail": {
"type": "long"
},
"insert_list_fail": {
"type": "long"
},
"invalid_checksum": {
"type": "long"
},
"memuse": {
"type": "long"
},
"no_flow": {
"type": "long"
},
"overlap": {
"type": "long"
},
"overlap_diff_data": {
"type": "long"
},
"pseudo": {
"type": "long"
},
"pseudo_failed": {
"type": "long"
},
"reassembly_gap": {
"type": "long"
},
"reassembly_memuse": {
"type": "long"
},
"rst": {
"type": "long"
},
"segment_memcap_drop": {
"type": "long"
},
"sessions": {
"type": "long"
},
"ssn_memcap_drop": {
"type": "long"
},
"stream_depth_reached": {
"type": "long"
},
"syn": {
"type": "long"
},
"synack": {
"type": "long"
}
}
},
"uptime": {
"type": "long"
}
}
},
"tcp": {
"properties": {
"ack": {
"type": "boolean"
},
"fin": {
"type": "boolean"
},
"psh": {
"type": "boolean"
},
"rst": {
"type": "boolean"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"syn": {
"type": "boolean"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_tc": {
"ignore_above": 1024,
"type": "keyword"
},
"tcp_flags_ts": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tls": {
"properties": {
"fingerprint": {
"ignore_above": 1024,
"type": "keyword"
},
"issuerdn": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ja3s": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"notafter": {
"type": "date"
},
"notbefore": {
"type": "date"
},
"serial": {
"ignore_above": 1024,
"type": "keyword"
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"ignore_above": 1024,
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tx_id": {
"type": "long"
}
}
}
}
}
}
}
}
}

2279
salt/elasticsearch/templates/component/ecs/zeek.json Normal file
View File

File diff suppressed because it is too large Load Diff