From 888145a2ed8a5bb5d5e6859cacd0c22d1babae4d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:55:43 -0600 Subject: [PATCH 001/120] remove optional integrations from defaults.yaml & soc_elasticsearch.yaml --- salt/elasticsearch/defaults.yaml | 8632 --------------------- salt/elasticsearch/soc_elasticsearch.yaml | 154 +- 2 files changed, 3 insertions(+), 8783 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 9f0d3576c..e7a9a286c 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1049,2942 +1049,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-1password_x_item_usages: - index_sorting: false - index_template: - composed_of: - - logs-1password.item_usages@package - - logs-1password.item_usages@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-1password.item_usages@custom - index_patterns: - - logs-1password.item_usages-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-1password.item_usages-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-1password_x_signin_attempts: - index_sorting: false - index_template: - composed_of: - - logs-1password.signin_attempts@package - - logs-1password.signin_attempts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-1password.signin_attempts@custom - index_patterns: - - logs-1password.signin_attempts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-1password.signin_attempts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-apache_x_access: - index_sorting: false - index_template: - composed_of: - - logs-apache.access@package - - logs-apache.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-apache.access@custom - index_patterns: - - logs-apache.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-apache.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-apache_x_error: - index_sorting: false - index_template: - composed_of: - - logs-apache.error@package - - logs-apache.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-apache.error@custom - index_patterns: - - logs-apache.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-apache.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-auditd_x_log: - index_sorting: false - index_template: - composed_of: - - logs-auditd.log@package - - logs-auditd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-auditd.log@custom - index_patterns: - - logs-auditd.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-auditd.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-auth0_x_logs: - index_sorting: false - index_template: - composed_of: - - logs-auth0.logs@package - - logs-auth0.logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-auth0.logs@custom - index_patterns: - - logs-auth0.logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-auth0.logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudfront_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudfront_logs@package - - logs-aws.cloudfront_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudfront_logs@custom - index_patterns: - - logs-aws.cloudfront_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudfront_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudtrail: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudtrail@package - - logs-aws.cloudtrail@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudtrail@custom - index_patterns: - - logs-aws.cloudtrail-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudtrail-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_cloudwatch_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.cloudwatch_logs@package - - logs-aws.cloudwatch_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.cloudwatch_logs@custom - index_patterns: - - logs-aws.cloudwatch_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.cloudwatch_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_ec2_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.ec2_logs@package - - logs-aws.ec2_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.ec2_logs@custom - index_patterns: - - logs-aws.ec2_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.ec2_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_elb_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.elb_logs@package - - logs-aws.elb_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.elb_logs@custom - index_patterns: - - logs-aws.elb_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.elb_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_firewall_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.firewall_logs@package - - logs-aws.firewall_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.firewall_logs@custom - index_patterns: - - logs-aws.firewall_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.firewall_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_guardduty: - index_sorting: false - index_template: - composed_of: - - logs-aws.guardduty@package - - logs-aws.guardduty@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.guardduty@custom - index_patterns: - - logs-aws.guardduty-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.guardduty-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_inspector: - index_sorting: false - index_template: - composed_of: - - logs-aws.inspector@package - - logs-aws.inspector@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.inspector@custom - index_patterns: - - logs-aws.inspector-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.inspector-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_route53_public_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.route53_public_logs@package - - logs-aws.route53_public_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.route53_public_logs@custom - index_patterns: - - logs-aws.route53_public_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.route53_public_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_route53_resolver_logs: - index_sorting: false - index_template: - composed_of: - - logs-aws.route53_resolver_logs@package - - logs-aws.route53_resolver_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.route53_resolver_logs@custom - index_patterns: - - logs-aws.route53_resolver_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.route53_resolver_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_s3access: - index_sorting: false - index_template: - composed_of: - - logs-aws.s3access@package - - logs-aws.s3access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.s3access@custom - index_patterns: - - logs-aws.s3access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.s3access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_securityhub_findings: - index_sorting: false - index_template: - composed_of: - - logs-aws.securityhub_findings@package - - logs-aws.securityhub_findings@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_findings@custom - index_patterns: - - logs-aws.securityhub_findings-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.securityhub_findings-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_securityhub_insights: - index_sorting: false - index_template: - composed_of: - - logs-aws.securityhub_insights@package - - logs-aws.securityhub_insights@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.securityhub_insights@custom - index_patterns: - - logs-aws.securityhub_insights-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.securityhub_insights-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_vpcflow: - index_sorting: false - index_template: - composed_of: - - logs-aws.vpcflow@package - - logs-aws.vpcflow@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.vpcflow@custom - index_patterns: - - logs-aws.vpcflow-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.vpcflow-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-aws_x_waf: - index_sorting: false - index_template: - composed_of: - - logs-aws.waf@package - - logs-aws.waf@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-aws.waf@custom - index_patterns: - - logs-aws.waf-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-aws.waf-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_activitylogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.activitylogs@package - - logs-azure.activitylogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.activitylogs@custom - index_patterns: - - logs-azure.activitylogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.activitylogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_application_gateway: - index_sorting: false - index_template: - composed_of: - - logs-azure.application_gateway@package - - logs-azure.application_gateway@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.application_gateway@custom - index_patterns: - - logs-azure.application_gateway-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.application_gateway-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_auditlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.auditlogs@package - - logs-azure.auditlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.auditlogs@custom - index_patterns: - - logs-azure.auditlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.auditlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_eventhub: - index_sorting: false - index_template: - composed_of: - - logs-azure.eventhub@package - - logs-azure.eventhub@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.eventhub@custom - index_patterns: - - logs-azure.eventhub-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.eventhub-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_firewall_logs: - index_sorting: false - index_template: - composed_of: - - logs-azure.firewall_logs@package - - logs-azure.firewall_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.firewall_logs@custom - index_patterns: - - logs-azure.firewall_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.firewall_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_identity_protection: - index_sorting: false - index_template: - composed_of: - - logs-azure.identity_protection@package - - logs-azure.identity_protection@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.identity_protection@custom - index_patterns: - - logs-azure.identity_protection-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.identity_protection-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_platformlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.platformlogs@package - - logs-azure.platformlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.platformlogs@custom - index_patterns: - - logs-azure.platformlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.platformlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_provisioning: - index_sorting: false - index_template: - composed_of: - - logs-azure.provisioning@package - - logs-azure.provisioning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.provisioning@custom - index_patterns: - - logs-azure.provisioning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.provisioning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_signinlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.signinlogs@package - - logs-azure.signinlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.signinlogs@custom - index_patterns: - - logs-azure.signinlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.signinlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-azure_x_springcloudlogs: - index_sorting: false - index_template: - composed_of: - - logs-azure.springcloudlogs@package - - logs-azure.springcloudlogs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-azure.springcloudlogs@custom - index_patterns: - - logs-azure.springcloudlogs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-azure.springcloudlogs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-barracuda_x_waf: - index_sorting: false - index_template: - composed_of: - - logs-barracuda.waf@package - - logs-barracuda.waf@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-barracuda.waf@custom - index_patterns: - - logs-barracuda.waf-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-barracuda.waf-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-barracuda_cloudgen_firewall_x_log: - index_sorting: False - index_template: - ignore_missing_component_templates: - - logs-barracuda_cloudgen_firewall.log@custom - index_patterns: - - "logs-barracuda_cloudgen_firewall.log-*" - template: - settings: - index: - lifecycle: - name: so-logs-barracuda_cloudgen_firewall.log-logs - number_of_replicas: 0 - composed_of: - - "logs-barracuda_cloudgen_firewall.log@package" - - "logs-barracuda_cloudgen_firewall.log@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-carbonblack_edr_x_log: - index_sorting: false - index_template: - composed_of: - - logs-carbonblack_edr.log@package - - logs-carbonblack_edr.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-carbonblack_edr.log@custom - index_patterns: - - logs-carbonblack_edr.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-carbonblack_edr.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cef_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cef.log@package - - logs-cef.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cef.log@custom - index_patterns: - - logs-cef.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cef.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-checkpoint_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-checkpoint.firewall@package - - logs-checkpoint.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-checkpoint.firewall@custom - index_patterns: - - logs-checkpoint.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-checkpoint.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_asa_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_asa.log@package - - logs-cisco_asa.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_asa.log@custom - index_patterns: - - logs-cisco_asa.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_asa.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_admin: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.admin@package - - logs-cisco_duo.admin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.admin@custom - index_patterns: - - logs-cisco_duo.admin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.admin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_auth: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.auth@package - - logs-cisco_duo.auth@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.auth@custom - index_patterns: - - logs-cisco_duo.auth-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.auth-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_offline_enrollment: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.offline_enrollment@package - - logs-cisco_duo.offline_enrollment@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.offline_enrollment@custom - index_patterns: - - logs-cisco_duo.offline_enrollment-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.offline_enrollment-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_summary: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.summary@package - - logs-cisco_duo.summary@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.summary@custom - index_patterns: - - logs-cisco_duo.summary-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.summary-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_duo_x_telephony: - index_sorting: false - index_template: - composed_of: - - logs-cisco_duo.telephony@package - - logs-cisco_duo.telephony@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_duo.telephony@custom - index_patterns: - - logs-cisco_duo.telephony-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_duo.telephony-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ftd_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ftd.log@package - - logs-cisco_ftd.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ftd.log@custom - index_patterns: - - logs-cisco_ftd.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ftd.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ios_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ios.log@package - - logs-cisco_ios.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ios.log@custom - index_patterns: - - logs-cisco_ios.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ios.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_ise_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_ise.log@package - - logs-cisco_ise.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_ise.log@custom - index_patterns: - - logs-cisco_ise.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_ise.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_meraki_x_events: - index_sorting: false - index_template: - composed_of: - - logs-cisco_meraki.events@package - - logs-cisco_meraki.events@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.events@custom - index_patterns: - - logs-cisco_meraki.events-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_meraki.events-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_meraki_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_meraki.log@package - - logs-cisco_meraki.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_meraki.log@custom - index_patterns: - - logs-cisco_meraki.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_meraki.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_secure_email_gateway_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_secure_email_gateway.log@package - - logs-cisco_secure_email_gateway.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-cisco_secure_email_gateway.log@custom - index_patterns: - - logs-cisco_secure_email_gateway.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_secure_email_gateway.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cisco_umbrella_x_log: - index_sorting: false - index_template: - composed_of: - - logs-cisco_umbrella.log@package - - logs-cisco_umbrella.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cisco_umbrella.log@custom - index_patterns: - - logs-cisco_umbrella.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cisco_umbrella.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_interface: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.interface@package - - logs-citrix_adc.interface@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.interface@custom - index_patterns: - - logs-citrix_adc.interface-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.interface-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_lbvserver: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.lbvserver@package - - logs-citrix_adc.lbvserver@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.lbvserver@custom - index_patterns: - - logs-citrix_adc.lbvserver-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.lbvserver-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_service: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.service@package - - logs-citrix_adc.service@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.service@custom - index_patterns: - - logs-citrix_adc.service-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.service-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_system: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.system@package - - logs-citrix_adc.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.system@custom - index_patterns: - - logs-citrix_adc.system-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.system-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_adc_x_vpn: - index_sorting: false - index_template: - composed_of: - - logs-citrix_adc.vpn@package - - logs-citrix_adc.vpn@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_adc.vpn@custom - index_patterns: - - logs-citrix_adc.vpn-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_adc.vpn-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-citrix_waf_x_log: - index_sorting: false - index_template: - composed_of: - - logs-citrix_waf.log@package - - logs-citrix_waf.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-citrix_waf.log@custom - index_patterns: - - logs-citrix_waf.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-citrix_waf.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cloudflare_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-cloudflare.audit@package - - logs-cloudflare.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cloudflare.audit@custom - index_patterns: - - logs-cloudflare.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cloudflare.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-cloudflare_x_logpull: - index_sorting: false - index_template: - composed_of: - - logs-cloudflare.logpull@package - - logs-cloudflare.logpull@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-cloudflare.logpull@custom - index_patterns: - - logs-cloudflare.logpull-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-cloudflare.logpull-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_alert: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.alert-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.alert@package - - logs-crowdstrike.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.alert@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_falcon: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.falcon-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.falcon@package - - logs-crowdstrike.falcon@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.falcon@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_fdr: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.fdr-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.fdr@package - - logs-crowdstrike.fdr@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.fdr@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-crowdstrike_x_host: - index_sorting: False - index_template: - index_patterns: - - logs-crowdstrike.host-* - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - logs-crowdstrike.host@package - - logs-crowdstrike.host@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-crowdstrike.host@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_ai_analyst_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.ai_analyst_alert@package - - logs-darktrace.ai_analyst_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.ai_analyst_alert@custom - index_patterns: - - logs-darktrace.ai_analyst_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.ai_analyst_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_model_breach_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.model_breach_alert@package - - logs-darktrace.model_breach_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.model_breach_alert@custom - index_patterns: - - logs-darktrace.model_breach_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.model_breach_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-darktrace_x_system_status_alert: - index_sorting: false - index_template: - composed_of: - - logs-darktrace.system_status_alert@package - - logs-darktrace.system_status_alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-darktrace.system_status_alert@custom - index_patterns: - - logs-darktrace.system_status_alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-darktrace.system_status_alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-detections_x_alerts: index_sorting: false index_template: @@ -5230,1478 +2294,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-f5_bigip_x_log: - index_sorting: false - index_template: - composed_of: - - logs-f5_bigip.log@package - - logs-f5_bigip.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-f5_bigip.log@custom - index_patterns: - - logs-f5_bigip.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-f5_bigip.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fim_x_event: - index_sorting: false - index_template: - composed_of: - - logs-fim.event@package - - logs-fim.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fim.event@custom - index_patterns: - - logs-fim.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fim.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fireeye_x_nx: - index_sorting: false - index_template: - composed_of: - - logs-fireeye.nx@package - - logs-fireeye.nx@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fireeye.nx@custom - index_patterns: - - logs-fireeye.nx-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fireeye.nx-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_fortigate_x_log: - index_sorting: false - index_template: - composed_of: - - logs-fortinet_fortigate.log@package - - logs-fortinet_fortigate.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet_fortigate.log@custom - index_patterns: - - logs-fortinet_fortigate.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet_fortigate.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_clientendpoint: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.clientendpoint@package - - logs-fortinet.clientendpoint@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.clientendpoint@custom - index_patterns: - - logs-fortinet.clientendpoint-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.clientendpoint-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.firewall@package - - logs-fortinet.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.firewall@custom - index_patterns: - - logs-fortinet.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_fortimail: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.fortimail@package - - logs-fortinet.fortimail@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimail@custom - index_patterns: - - logs-fortinet.fortimail-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.fortimail-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-fortinet_x_fortimanager: - index_sorting: false - index_template: - composed_of: - - logs-fortinet.fortimanager@package - - logs-fortinet.fortimanager@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-fortinet.fortimanager@custom - index_patterns: - - logs-fortinet.fortimanager-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-fortinet.fortimanager-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-gcp.audit@package - - logs-gcp.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.audit@custom - index_patterns: - - logs-gcp.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_dns: - index_sorting: false - index_template: - composed_of: - - logs-gcp.dns@package - - logs-gcp.dns@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.dns@custom - index_patterns: - - logs-gcp.dns-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.dns-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-gcp.firewall@package - - logs-gcp.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.firewall@custom - index_patterns: - - logs-gcp.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_loadbalancing_logs: - index_sorting: false - index_template: - composed_of: - - logs-gcp.loadbalancing_logs@package - - logs-gcp.loadbalancing_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.loadbalancing_logs@custom - index_patterns: - - logs-gcp.loadbalancing_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.loadbalancing_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-gcp_x_vpcflow: - index_sorting: false - index_template: - composed_of: - - logs-gcp.vpcflow@package - - logs-gcp.vpcflow@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-gcp.vpcflow@custom - index_patterns: - - logs-gcp.vpcflow-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-gcp.vpcflow-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-github.audit@package - - logs-github.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.audit@custom - index_patterns: - - logs-github.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_code_scanning: - index_sorting: false - index_template: - composed_of: - - logs-github.code_scanning@package - - logs-github.code_scanning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.code_scanning@custom - index_patterns: - - logs-github.code_scanning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.code_scanning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_dependabot: - index_sorting: false - index_template: - composed_of: - - logs-github.dependabot@package - - logs-github.dependabot@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.dependabot@custom - index_patterns: - - logs-github.dependabot-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.dependabot-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_issues: - index_sorting: false - index_template: - composed_of: - - logs-github.issues@package - - logs-github.issues@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.issues@custom - index_patterns: - - logs-github.issues-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.issues-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-github_x_secret_scanning: - index_sorting: false - index_template: - composed_of: - - logs-github.secret_scanning@package - - logs-github.secret_scanning@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-github.secret_scanning@custom - index_patterns: - - logs-github.secret_scanning-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-github.secret_scanning-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_access_transparency: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.access_transparency@package - - logs-google_workspace.access_transparency@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.access_transparency@custom - index_patterns: - - logs-google_workspace.access_transparency-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.access_transparency-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_admin: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.admin@package - - logs-google_workspace.admin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.admin@custom - index_patterns: - - logs-google_workspace.admin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.admin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.alert@package - - logs-google_workspace.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.alert@custom - index_patterns: - - logs-google_workspace.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_context_aware_access: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.context_aware_access@package - - logs-google_workspace.context_aware_access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.context_aware_access@custom - index_patterns: - - logs-google_workspace.context_aware_access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.context_aware_access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_device: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.device@package - - logs-google_workspace.device@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.device@custom - index_patterns: - - logs-google_workspace.device-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.device-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_drive: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.drive@package - - logs-google_workspace.drive@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.drive@custom - index_patterns: - - logs-google_workspace.drive-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.drive-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_gcp: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.gcp@package - - logs-google_workspace.gcp@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.gcp@custom - index_patterns: - - logs-google_workspace.gcp-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.gcp-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_group_enterprise: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.group_enterprise@package - - logs-google_workspace.group_enterprise@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.group_enterprise@custom - index_patterns: - - logs-google_workspace.group_enterprise-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.group_enterprise-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_groups: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.groups@package - - logs-google_workspace.groups@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.groups@custom - index_patterns: - - logs-google_workspace.groups-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.groups-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_login: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.login@package - - logs-google_workspace.login@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.login@custom - index_patterns: - - logs-google_workspace.login-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.login-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_rules: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.rules@package - - logs-google_workspace.rules@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.rules@custom - index_patterns: - - logs-google_workspace.rules-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.rules-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_saml: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.saml@package - - logs-google_workspace.saml@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.saml@custom - index_patterns: - - logs-google_workspace.saml-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.saml-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_token: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.token@package - - logs-google_workspace.token@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.token@custom - index_patterns: - - logs-google_workspace.token-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.token-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-google_workspace_x_user_accounts: - index_sorting: false - index_template: - composed_of: - - logs-google_workspace.user_accounts@package - - logs-google_workspace.user_accounts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-google_workspace.user_accounts@custom - index_patterns: - - logs-google_workspace.user_accounts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-google_workspace.user_accounts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: @@ -6795,1524 +2387,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-iis_x_access: - index_sorting: false - index_template: - composed_of: - - logs-iis.access@package - - logs-iis.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.access@custom - index_patterns: - - logs-iis.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-iis.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-iis_x_error: - index_sorting: false - index_template: - composed_of: - - logs-iis.error@package - - logs-iis.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-iis.error@custom - index_patterns: - - logs-iis.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-iis.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-imperva_cloud_waf_x_event: - index_sorting: False - index_template: - ignore_missing_component_templates: - - logs-imperva_cloud_waf.event@custom - index_patterns: - - "logs-imperva_cloud_waf.event-*" - template: - settings: - index: - lifecycle: - name: so-logs-imperva_cloud_waf.event-logs - number_of_replicas: 0 - composed_of: - - "logs-imperva_cloud_waf.event@package" - - "logs-imperva_cloud_waf.event@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_srx_x_log: - index_sorting: false - index_template: - composed_of: - - logs-juniper_srx.log@package - - logs-juniper_srx.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper_srx.log@custom - index_patterns: - - logs-juniper_srx.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper_srx.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_junos: - index_sorting: false - index_template: - composed_of: - - logs-juniper.junos@package - - logs-juniper.junos@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.junos@custom - index_patterns: - - logs-juniper.junos-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.junos-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_netscreen: - index_sorting: false - index_template: - composed_of: - - logs-juniper.netscreen@package - - logs-juniper.netscreen@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.netscreen@custom - index_patterns: - - logs-juniper.netscreen-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.netscreen-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-juniper_x_srx: - index_sorting: false - index_template: - composed_of: - - logs-juniper.srx@package - - logs-juniper.srx@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-juniper.srx@custom - index_patterns: - - logs-juniper.srx-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-juniper.srx-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-kafka_log_x_generic: - index_sorting: false - index_template: - composed_of: - - logs-kafka_log.generic@package - - logs-kafka_log.generic@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-kafka_log.generic@custom - index_patterns: - - logs-kafka_log.generic-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-kafka_log.generic-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_detailed_shared_folder: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.detailed_shared_folder@package - - logs-lastpass.detailed_shared_folder@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.detailed_shared_folder@custom - index_patterns: - - logs-lastpass.detailed_shared_folder-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.detailed_shared_folder-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_event_report: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.event_report@package - - logs-lastpass.event_report@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.event_report@custom - index_patterns: - - logs-lastpass.event_report-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.event_report-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-lastpass_x_user: - index_sorting: false - index_template: - composed_of: - - logs-lastpass.user@package - - logs-lastpass.user@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-lastpass.user@custom - index_patterns: - - logs-lastpass.user-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-lastpass.user-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_event: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.event@package - - logs-m365_defender.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.event@custom - index_patterns: - - logs-m365_defender.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_incident: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.incident@package - - logs-m365_defender.incident@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.incident@custom - index_patterns: - - logs-m365_defender.incident-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.incident-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-m365_defender_x_log: - index_sorting: false - index_template: - composed_of: - - logs-m365_defender.log@package - - logs-m365_defender.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-m365_defender.log@custom - index_patterns: - - logs-m365_defender.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-m365_defender.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_defender_endpoint_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_defender_endpoint.log@package - - logs-microsoft_defender_endpoint.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_defender_endpoint.log@custom - index_patterns: - - logs-microsoft_defender_endpoint.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_defender_endpoint.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_dhcp_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_dhcp.log@package - - logs-microsoft_dhcp.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_dhcp.log@custom - index_patterns: - - logs-microsoft_dhcp.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_dhcp.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_sqlserver_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_sqlserver.audit@package - - logs-microsoft_sqlserver.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.audit@custom - index_patterns: - - logs-microsoft_sqlserver.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_sqlserver.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-microsoft_sqlserver_x_log: - index_sorting: false - index_template: - composed_of: - - logs-microsoft_sqlserver.log@package - - logs-microsoft_sqlserver.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-microsoft_sqlserver.log@custom - index_patterns: - - logs-microsoft_sqlserver.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-microsoft_sqlserver.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_audit_events: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.audit_events@package - - logs-mimecast.audit_events@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.audit_events@custom - index_patterns: - - logs-mimecast.audit_events-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.audit_events-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_dlp_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.dlp_logs@package - - logs-mimecast.dlp_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.dlp_logs@custom - index_patterns: - - logs-mimecast.dlp_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.dlp_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_siem_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.siem_logs@package - - logs-mimecast.siem_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.siem_logs@custom - index_patterns: - - logs-mimecast.siem_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.siem_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_threat_intel_malware_customer: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.threat_intel_malware_customer@package - - logs-mimecast.threat_intel_malware_customer@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_customer@custom - index_patterns: - - logs-mimecast.threat_intel_malware_customer-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.threat_intel_malware_customer-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_threat_intel_malware_grid: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.threat_intel_malware_grid@package - - logs-mimecast.threat_intel_malware_grid@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.threat_intel_malware_grid@custom - index_patterns: - - logs-mimecast.threat_intel_malware_grid-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.threat_intel_malware_grid-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_ap_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_ap_logs@package - - logs-mimecast.ttp_ap_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ap_logs@custom - index_patterns: - - logs-mimecast.ttp_ap_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_ap_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_ip_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_ip_logs@package - - logs-mimecast.ttp_ip_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_ip_logs@custom - index_patterns: - - logs-mimecast.ttp_ip_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_ip_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mimecast_x_ttp_url_logs: - index_sorting: false - index_template: - composed_of: - - logs-mimecast.ttp_url_logs@package - - logs-mimecast.ttp_url_logs@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mimecast.ttp_url_logs@custom - index_patterns: - - logs-mimecast.ttp_url_logs-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mimecast.ttp_url_logs-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mysql_x_error: - index_sorting: false - index_template: - composed_of: - - logs-mysql.error@package - - logs-mysql.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mysql.error@custom - index_patterns: - - logs-mysql.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mysql.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-mysql_x_slowlog: - index_sorting: false - index_template: - composed_of: - - logs-mysql.slowlog@package - - logs-mysql.slowlog@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-mysql.slowlog@custom - index_patterns: - - logs-mysql.slowlog-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-mysql.slowlog-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-netflow_x_log: - index_sorting: false - index_template: - composed_of: - - logs-netflow.log@package - - logs-netflow.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-netflow.log@custom - index_patterns: - - logs-netflow.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-netflow.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-nginx_x_access: - index_sorting: false - index_template: - composed_of: - - logs-nginx.access@package - - logs-nginx.access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.access@custom - index_patterns: - - logs-nginx.access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-nginx.access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-nginx_x_error: - index_sorting: false - index_template: - composed_of: - - logs-nginx.error@package - - logs-nginx.error@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-nginx.error@custom - index_patterns: - - logs-nginx.error-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-nginx.error-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-o365_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-o365.audit@package - - logs-o365.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-o365.audit@custom - index_patterns: - - logs-o365.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-o365.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-okta_x_system: - index_sorting: false - index_template: - composed_of: - - logs-okta.system@package - - logs-okta.system@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-okta.system@custom - index_patterns: - - logs-okta.system-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-okta.system-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-osquery-manager-action_x_responses: index_sorting: false index_template: @@ -8349,696 +2423,6 @@ elasticsearch: settings: index: number_of_replicas: 0 - so-logs-panw_x_panos: - index_sorting: false - index_template: - composed_of: - - logs-panw.panos@package - - logs-panw.panos@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-panw.panos@custom - index_patterns: - - logs-panw.panos-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-panw.panos-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-pfsense_x_log: - index_sorting: false - index_template: - composed_of: - - logs-pfsense.log@package - - logs-pfsense.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-pfsense.log@custom - index_patterns: - - logs-pfsense.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-pfsense.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_clicks_blocked: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.clicks_blocked@package - - logs-proofpoint_tap.clicks_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_blocked@custom - index_patterns: - - logs-proofpoint_tap.clicks_blocked-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.clicks_blocked-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_clicks_permitted: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.clicks_permitted@package - - logs-proofpoint_tap.clicks_permitted@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.clicks_permitted@custom - index_patterns: - - logs-proofpoint_tap.clicks_permitted-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.clicks_permitted-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_message_blocked: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.message_blocked@package - - logs-proofpoint_tap.message_blocked@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_blocked@custom - index_patterns: - - logs-proofpoint_tap.message_blocked-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.message_blocked-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-proofpoint_tap_x_message_delivered: - index_sorting: false - index_template: - composed_of: - - logs-proofpoint_tap.message_delivered@package - - logs-proofpoint_tap.message_delivered@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-proofpoint_tap.message_delivered@custom - index_patterns: - - logs-proofpoint_tap.message_delivered-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-proofpoint_tap.message_delivered-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-pulse_connect_secure_x_log: - index_sorting: false - index_template: - composed_of: - - logs-pulse_connect_secure.log@package - - logs-pulse_connect_secure.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-pulse_connect_secure.log@custom - index_patterns: - - logs-pulse_connect_secure.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-pulse_connect_secure.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_activity: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.activity@package - - logs-sentinel_one.activity@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.activity@custom - index_patterns: - - logs-sentinel_one.activity-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.activity-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_agent: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.agent@package - - logs-sentinel_one.agent@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.agent@custom - index_patterns: - - logs-sentinel_one.agent-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.agent-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.alert@package - - logs-sentinel_one.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.alert@custom - index_patterns: - - logs-sentinel_one.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_group: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.group@package - - logs-sentinel_one.group@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.group@custom - index_patterns: - - logs-sentinel_one.group-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.group-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sentinel_one_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-sentinel_one.threat@package - - logs-sentinel_one.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sentinel_one.threat@custom - index_patterns: - - logs-sentinel_one.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sentinel_one.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snort_x_log: - index_sorting: false - index_template: - composed_of: - - logs-snort.log@package - - logs-snort.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snort.log@custom - index_patterns: - - logs-snort.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snort.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-snyk.audit@package - - logs-snyk.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.audit@custom - index_patterns: - - logs-snyk.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-snyk_x_vulnerabilities: - index_sorting: false - index_template: - composed_of: - - logs-snyk.vulnerabilities@package - - logs-snyk.vulnerabilities@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-snyk.vulnerabilities@custom - index_patterns: - - logs-snyk.vulnerabilities-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-snyk.vulnerabilities-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-soc: close: 30 delete: 365 @@ -9147,282 +2531,6 @@ elasticsearch: priority: 50 min_age: 30d warm: 7 - so-logs-sonicwall_firewall_x_log: - index_sorting: false - index_template: - composed_of: - - logs-sonicwall_firewall.log@package - - logs-sonicwall_firewall.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sonicwall_firewall.log@custom - index_patterns: - - logs-sonicwall_firewall.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sonicwall_firewall.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_central_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-sophos_central.alert@package - - logs-sophos_central.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos_central.alert@custom - index_patterns: - - logs-sophos_central.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos_central.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_central_x_event: - index_sorting: false - index_template: - composed_of: - - logs-sophos_central.event@package - - logs-sophos_central.event@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos_central.event@custom - index_patterns: - - logs-sophos_central.event-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos_central.event-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_x_utm: - index_sorting: false - index_template: - composed_of: - - logs-sophos.utm@package - - logs-sophos.utm@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos.utm@custom - index_patterns: - - logs-sophos.utm-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos.utm-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-sophos_x_xg: - index_sorting: false - index_template: - composed_of: - - logs-sophos.xg@package - - logs-sophos.xg@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-sophos.xg@custom - index_patterns: - - logs-sophos.xg-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-sophos.xg-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-symantec_endpoint_x_log: - index_sorting: false - index_template: - composed_of: - - logs-symantec_endpoint.log@package - - logs-symantec_endpoint.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-symantec_endpoint.log@custom - index_patterns: - - logs-symantec_endpoint.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-symantec_endpoint.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-system_x_application: index_sorting: false index_template: @@ -9663,1286 +2771,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-tenable_io_x_asset: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.asset-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.asset-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.asset@package" - - "logs-tenable_io.asset@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.asset@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_plugin: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.plugin-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.plugin-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.plugin@package" - - "logs-tenable_io.plugin@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.plugin@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_scan: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.scan-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.scan-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.scan@package" - - "logs-tenable_io.scan@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.scan@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_io_x_vulnerability: - index_sorting: False - index_template: - index_patterns: - - "logs-tenable_io.vulnerability-*" - template: - settings: - index: - lifecycle: - name: so-logs-tenable_io.vulnerability-logs - number_of_replicas: 0 - composed_of: - - "logs-tenable_io.vulnerability@package" - - "logs-tenable_io.vulnerability@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-tenable_io.vulnerability@custom - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 30d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_asset: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.asset@package - - logs-tenable_sc.asset@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.asset@custom - index_patterns: - - logs-tenable_sc.asset-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.asset-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_plugin: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.plugin@package - - logs-tenable_sc.plugin@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.plugin@custom - index_patterns: - - logs-tenable_sc.plugin-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.plugin-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-tenable_sc_x_vulnerability: - index_sorting: false - index_template: - composed_of: - - logs-tenable_sc.vulnerability@package - - logs-tenable_sc.vulnerability@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-tenable_sc.vulnerability@custom - index_patterns: - - logs-tenable_sc.vulnerability-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-tenable_sc.vulnerability-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_malware: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.malware@package - - logs-ti_abusech.malware@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malware@custom - index_patterns: - - logs-ti_abusech.malware-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.malware-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_malwarebazaar: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.malwarebazaar@package - - logs-ti_abusech.malwarebazaar@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.malwarebazaar@custom - index_patterns: - - logs-ti_abusech.malwarebazaar-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.malwarebazaar-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_threatfox: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.threatfox@package - - logs-ti_abusech.threatfox@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.threatfox@custom - index_patterns: - - logs-ti_abusech.threatfox-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.threatfox-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_abusech_x_url: - index_sorting: false - index_template: - composed_of: - - logs-ti_abusech.url@package - - logs-ti_abusech.url@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_abusech.url@custom - index_patterns: - - logs-ti_abusech.url-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_abusech.url-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_anomali_x_threatstream: - index_sorting: false - index_template: - composed_of: - - logs-ti_anomali.threatstream@package - - logs-ti_anomali.threatstream@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_anomali.threatstream@custom - index_patterns: - - logs-ti_anomali.threatstream-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_anomali.threatstream-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_cybersixgill_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_cybersixgill.threat@package - - logs-ti_cybersixgill.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_cybersixgill.threat@custom - index_patterns: - - logs-ti_cybersixgill.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_cybersixgill.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_misp_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_misp.threat@package - - logs-ti_misp.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat@custom - index_patterns: - - logs-ti_misp.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_misp.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_misp_x_threat_attributes: - index_sorting: false - index_template: - composed_of: - - logs-ti_misp.threat_attributes@package - - logs-ti_misp.threat_attributes@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_misp.threat_attributes@custom - index_patterns: - - logs-ti_misp.threat_attributes-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_misp.threat_attributes-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_otx_x_pulses_subscribed: - index_sorting: false - index_template: - composed_of: - - logs-ti_otx.pulses_subscribed@package - - logs-ti_otx.pulses_subscribed@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_otx.pulses_subscribed@custom - index_patterns: - - logs-ti_otx.pulses_subscribed-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_otx.pulses_subscribed-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_otx_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_otx.threat@package - - logs-ti_otx.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_otx.threat@custom - index_patterns: - - logs-ti_otx.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_otx.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_alert: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.alert@package - - logs-ti_rapid7_threat_command.alert@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.alert@custom - index_patterns: - - logs-ti_rapid7_threat_command.alert-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.alert-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_ioc: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.ioc@package - - logs-ti_rapid7_threat_command.ioc@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.ioc@custom - index_patterns: - - logs-ti_rapid7_threat_command.ioc-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.ioc-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_rapid7_threat_command_x_vulnerability: - index_sorting: false - index_template: - composed_of: - - logs-ti_rapid7_threat_command.vulnerability@package - - logs-ti_rapid7_threat_command.vulnerability@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_component_templates: - - logs-ti_rapid7_threat_command.vulnerability@custom - index_patterns: - - logs-ti_rapid7_threat_command.vulnerability-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_rapid7_threat_command.vulnerability-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_recordedfuture_x_latest_ioc-template: - index_sorting: false - index_template: - composed_of: - - logs-ti_recordedfuture.latest_ioc-template@package - - logs-ti_recordedfuture.latest_ioc-template@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.latest_ioc-template@custom - index_patterns: - - logs-ti_recordedfuture.latest_ioc-template-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_recordedfuture.latest_ioc-template-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_recordedfuture_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_recordedfuture.threat@package - - logs-ti_recordedfuture.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_recordedfuture.threat@custom - index_patterns: - - logs-ti_recordedfuture.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_recordedfuture.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-ti_threatq_x_threat: - index_sorting: false - index_template: - composed_of: - - logs-ti_threatq.threat@package - - logs-ti_threatq.threat@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-ti_threatq.threat@custom - index_patterns: - - logs-ti_threatq.threat-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-ti_threatq.threat-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_alert: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.alert-*" - template: - settings: - index: - number_of_replicas: 0 - composed_of: - - "logs-trend_micro_vision_one.alert@package" - - "logs-trend_micro_vision_one.alert@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.alert@custom" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_audit: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.audit-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.audit@custom" - composed_of: - - "logs-trend_micro_vision_one.audit@package" - - "logs-trend_micro_vision_one.audit@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trend_micro_vision_one_x_detection: - index_sorting: False - index_template: - index_patterns: - - "logs-trend_micro_vision_one.detection-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trend_micro_vision_one.detection@custom" - composed_of: - - "logs-trend_micro_vision_one.detection@package" - - "logs-trend_micro_vision_one.detection@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-trendmicro_x_deep_security: - index_sorting: False - index_template: - index_patterns: - - "logs-trendmicro.deep_security-*" - template: - settings: - index: - number_of_replicas: 0 - ignore_missing_component_templates: - - "logs-trendmicro.deep_security@custom" - composed_of: - - "logs-trendmicro.deep_security@package" - - "logs-trendmicro.deep_security@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - priority: 501 - data_stream: - hidden: false - allow_custom_routing: false - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-vsphere_x_log: - index_sorting: false - index_template: - composed_of: - - logs-vsphere.log@package - - logs-vsphere.log@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-vsphere.log@custom - index_patterns: - - logs-vsphere.log-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-vsphere.log-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logs-windows_x_forwarded: index_sorting: false index_template: @@ -11174,466 +3002,6 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-zscaler_zia_x_alerts: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.alerts@package - - logs-zscaler_zia.alerts@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.alerts@custom - index_patterns: - - logs-zscaler_zia.alerts-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.alerts-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_dns: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.dns@package - - logs-zscaler_zia.dns@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.dns@custom - index_patterns: - - logs-zscaler_zia.dns-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.dns-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_firewall: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.firewall@package - - logs-zscaler_zia.firewall@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.firewall@custom - index_patterns: - - logs-zscaler_zia.firewall-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.firewall-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_tunnel: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.tunnel@package - - logs-zscaler_zia.tunnel@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.tunnel@custom - index_patterns: - - logs-zscaler_zia.tunnel-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.tunnel-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zia_x_web: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zia.web@package - - logs-zscaler_zia.web@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zia.web@custom - index_patterns: - - logs-zscaler_zia.web-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zia.web-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_app_connector_status: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.app_connector_status@package - - logs-zscaler_zpa.app_connector_status@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.app_connector_status@custom - index_patterns: - - logs-zscaler_zpa.app_connector_status-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.app_connector_status-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_audit: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.audit@package - - logs-zscaler_zpa.audit@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.audit@custom - index_patterns: - - logs-zscaler_zpa.audit-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.audit-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_browser_access: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.browser_access@package - - logs-zscaler_zpa.browser_access@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.browser_access@custom - index_patterns: - - logs-zscaler_zpa.browser_access-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.browser_access-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_user_activity: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.user_activity@package - - logs-zscaler_zpa.user_activity@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_activity@custom - index_patterns: - - logs-zscaler_zpa.user_activity-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.user_activity-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-logs-zscaler_zpa_x_user_status: - index_sorting: false - index_template: - composed_of: - - logs-zscaler_zpa.user_status@package - - logs-zscaler_zpa.user_status@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - logs-zscaler_zpa.user_status@custom - index_patterns: - - logs-zscaler_zpa.user_status-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-zscaler_zpa.user_status-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-logstash: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 88ea45b89..0d5d0ea28 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -358,160 +358,9 @@ elasticsearch: so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings so-logs-winlog_x_winlog: *indexSettings - so-logs-apache_x_access: *indexSettings - so-logs-apache_x_error: *indexSettings - so-logs-auditd_x_log: *indexSettings - so-logs-aws_x_cloudtrail: *indexSettings - so-logs-aws_x_cloudwatch_logs: *indexSettings - so-logs-aws_x_ec2_logs: *indexSettings - so-logs-aws_x_elb_logs: *indexSettings - so-logs-aws_x_firewall_logs: *indexSettings - so-logs-aws_x_route53_public_logs: *indexSettings - so-logs-aws_x_route53_resolver_logs: *indexSettings - so-logs-aws_x_s3access: *indexSettings - so-logs-aws_x_vpcflow: *indexSettings - so-logs-aws_x_waf: *indexSettings - so-logs-azure_x_activitylogs: *indexSettings - so-logs-azure_x_application_gateway: *indexSettings - so-logs-azure_x_auditlogs: *indexSettings - so-logs-azure_x_eventhub: *indexSettings - so-logs-azure_x_firewall_logs: *indexSettings - so-logs-azure_x_identity_protection: *indexSettings - so-logs-azure_x_platformlogs: *indexSettings - so-logs-azure_x_provisioning: *indexSettings - so-logs-azure_x_signinlogs: *indexSettings - so-logs-azure_x_springcloudlogs: *indexSettings - so-logs-barracuda_x_waf: *indexSettings - so-logs-barracuda_cloudgen_firewall_x_log: *indexSettings - so-logs-cef_x_log: *indexSettings - so-logs-cisco_asa_x_log: *indexSettings - so-logs-cisco_ftd_x_log: *indexSettings - so-logs-cisco_ios_x_log: *indexSettings - so-logs-cisco_ise_x_log: *indexSettings - so-logs-citrix_adc_x_interface: *indexSettings - so-logs-citrix_adc_x_lbvserver: *indexSettings - so-logs-citrix_adc_x_service: *indexSettings - so-logs-citrix_adc_x_system: *indexSettings - so-logs-citrix_adc_x_vpn: *indexSettings - so-logs-citrix_waf_x_log: *indexSettings - so-logs-cloudflare_x_audit: *indexSettings - so-logs-cloudflare_x_logpull: *indexSettings - so-logs-crowdstrike_x_alert: *indexSettings - so-logs-crowdstrike_x_falcon: *indexSettings - so-logs-crowdstrike_x_fdr: *indexSettings - so-logs-crowdstrike_x_host: *indexSettings - so-logs-darktrace_x_ai_analyst_alert: *indexSettings - so-logs-darktrace_x_model_breach_alert: *indexSettings - so-logs-darktrace_x_system_status_alert: *indexSettings so-logs-detections_x_alerts: *indexSettings - so-logs-f5_bigip_x_log: *indexSettings - so-logs-fim_x_event: *indexSettings - so-logs-fortinet_x_clientendpoint: *indexSettings - so-logs-fortinet_x_firewall: *indexSettings - so-logs-fortinet_x_fortimail: *indexSettings - so-logs-fortinet_x_fortimanager: *indexSettings - so-logs-fortinet_x_fortigate: *indexSettings - so-logs-gcp_x_audit: *indexSettings - so-logs-gcp_x_dns: *indexSettings - so-logs-gcp_x_firewall: *indexSettings - so-logs-gcp_x_loadbalancing_logs: *indexSettings - so-logs-gcp_x_vpcflow: *indexSettings - so-logs-github_x_audit: *indexSettings - so-logs-github_x_code_scanning: *indexSettings - so-logs-github_x_dependabot: *indexSettings - so-logs-github_x_issues: *indexSettings - so-logs-github_x_secret_scanning: *indexSettings - so-logs-google_workspace_x_access_transparency: *indexSettings - so-logs-google_workspace_x_admin: *indexSettings - so-logs-google_workspace_x_alert: *indexSettings - so-logs-google_workspace_x_context_aware_access: *indexSettings - so-logs-google_workspace_x_device: *indexSettings - so-logs-google_workspace_x_drive: *indexSettings - so-logs-google_workspace_x_gcp: *indexSettings - so-logs-google_workspace_x_group_enterprise: *indexSettings - so-logs-google_workspace_x_groups: *indexSettings - so-logs-google_workspace_x_login: *indexSettings - so-logs-google_workspace_x_rules: *indexSettings - so-logs-google_workspace_x_saml: *indexSettings - so-logs-google_workspace_x_token: *indexSettings - so-logs-google_workspace_x_user_accounts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings - so-logs-iis_x_access: *indexSettings - so-logs-iis_x_error: *indexSettings - so-logs-imperva_cloud_waf_x_event: *indexSettings - so-logs-juniper_x_junos: *indexSettings - so-logs-juniper_x_netscreen: *indexSettings - so-logs-juniper_x_srx: *indexSettings - so-logs-juniper_srx_x_log: *indexSettings - so-logs-kafka_log_x_generic: *indexSettings - so-logs-lastpass_x_detailed_shared_folder: *indexSettings - so-logs-lastpass_x_event_report: *indexSettings - so-logs-lastpass_x_user: *indexSettings - so-logs-m365_defender_x_event: *indexSettings - so-logs-m365_defender_x_incident: *indexSettings - so-logs-m365_defender_x_log: *indexSettings - so-logs-microsoft_defender_endpoint_x_log: *indexSettings - so-logs-microsoft_dhcp_x_log: *indexSettings - so-logs-microsoft_sqlserver_x_audit: *indexSettings - so-logs-microsoft_sqlserver_x_log: *indexSettings - so-logs-mysql_x_error: *indexSettings - so-logs-mysql_x_slowlog: *indexSettings - so-logs-netflow_x_log: *indexSettings - so-logs-nginx_x_access: *indexSettings - so-logs-nginx_x_error: *indexSettings - so-logs-o365_x_audit: *indexSettings - so-logs-okta_x_system: *indexSettings - so-logs-panw_x_panos: *indexSettings - so-logs-pfsense_x_log: *indexSettings - so-logs-proofpoint_tap_x_clicks_blocked: *indexSettings - so-logs-proofpoint_tap_x_clicks_permitted: *indexSettings - so-logs-proofpoint_tap_x_message_blocked: *indexSettings - so-logs-proofpoint_tap_x_message_delivered: *indexSettings - so-logs-sentinel_one_x_activity: *indexSettings - so-logs-sentinel_one_x_agent: *indexSettings - so-logs-sentinel_one_x_alert: *indexSettings - so-logs-sentinel_one_x_group: *indexSettings - so-logs-sentinel_one_x_threat: *indexSettings - so-logs-sonicwall_firewall_x_log: *indexSettings - so-logs-snort_x_log: *indexSettings - so-logs-symantec_endpoint_x_log: *indexSettings - so-logs-tenable_io_x_asset: *indexSettings - so-logs-tenable_io_x_plugin: *indexSettings - so-logs-tenable_io_x_scan: *indexSettings - so-logs-tenable_io_x_vulnerability: *indexSettings - so-logs-tenable_sc_x_asset: *indexSettings - so-logs-tenable_sc_x_plugin: *indexSettings - so-logs-tenable_sc_x_vulnerability: *indexSettings - so-logs-ti_abusech_x_malware: *indexSettings - so-logs-ti_abusech_x_malwarebazaar: *indexSettings - so-logs-ti_abusech_x_threatfox: *indexSettings - so-logs-ti_abusech_x_url: *indexSettings - so-logs-ti_anomali_x_threatstream: *indexSettings - so-logs-ti_cybersixgill_x_threat: *indexSettings - so-logs-ti_misp_x_threat: *indexSettings - so-logs-ti_misp_x_threat_attributes: *indexSettings - so-logs-ti_otx_x_pulses_subscribed: *indexSettings - so-logs-ti_otx_x_threat: *indexSettings - so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings - so-logs-ti_recordedfuture_x_threat: *indexSettings - so-logs-ti_threatq_x_threat: *indexSettings - so-logs-trend_micro_vision_one_x_alert: *indexSettings - so-logs-trend_micro_vision_one_x_audit: *indexSettings - so-logs-trend_micro_vision_one_x_detection: *indexSettings - so-logs-trendmicro_x_deep_security: *indexSettings - so-logs-zscaler_zia_x_alerts: *indexSettings - so-logs-zscaler_zia_x_dns: *indexSettings - so-logs-zscaler_zia_x_firewall: *indexSettings - so-logs-zscaler_zia_x_tunnel: *indexSettings - so-logs-zscaler_zia_x_web: *indexSettings - so-logs-zscaler_zpa_x_app_connector_status: *indexSettings - so-logs-zscaler_zpa_x_audit: *indexSettings - so-logs-zscaler_zpa_x_browser_access: *indexSettings - so-logs-zscaler_zpa_x_user_activity: *indexSettings - so-logs-zscaler_zpa_x_user_status: *indexSettings - so-logs-1password_x_item_usages: *indexSettings - so-logs-1password_x_signin_attempts: *indexSettings so-logs-osquery-manager-actions: *indexSettings so-logs-osquery-manager-action_x_responses: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings @@ -537,6 +386,9 @@ elasticsearch: so-metrics-endpoint_x_metrics: *indexSettings so-metrics-endpoint_x_policy: *indexSettings so-metrics-nginx_x_stubstatus: *indexSettings + so-metrics-vsphere_x_datastore: *indexSettings + so-metrics-vsphere_x_host: *indexSettings + so-metrics-vsphere_x_virtualmachine: *indexSettings so-case: *indexSettings so-common: *indexSettings so-endgame: *indexSettings From e3b7d82a8f5c3466ff77902f25c78f28c3b9ebba Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 3 Dec 2024 08:56:56 -0600 Subject: [PATCH 002/120] remove all non-core integrations from elasticfleet:packages pillar --- salt/elasticfleet/defaults.yaml | 75 --------------------------------- 1 file changed, 75 deletions(-) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 2f237cac1..41c50a96d 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -32,95 +32,20 @@ elasticfleet: - stderr - stdout packages: - - apache - - auditd - - auth0 - - aws - - azure - - barracuda - - barracuda_cloudgen_firewall - - carbonblack_edr - - cef - - checkpoint - - cisco_asa - - cisco_duo - - cisco_ftd - - cisco_ios - - cisco_ise - - cisco_meraki - - cisco_secure_email_gateway - - cisco_umbrella - - citrix_adc - - citrix_waf - - cloudflare - - crowdstrike - - darktrace - elastic_agent - elasticsearch - endpoint - - f5_bigip - - fim - - fireeye - fleet_server - - fortinet - - fortinet_fortigate - - gcp - - github - - google_workspace - http_endpoint - httpjson - - iis - - imperva_cloud_waf - - journald - - juniper - - juniper_srx - - kafka_log - - lastpass - log - - m365_defender - - microsoft_defender_endpoint - - microsoft_dhcp - - microsoft_sqlserver - - mimecast - - mysql - - netflow - - nginx - - o365 - - okta - osquery_manager - - panw - - pfsense - - proofpoint_tap - - pulse_connect_secure - redis - - sentinel_one - - snort - - snyk - - sonicwall_firewall - - sophos - - sophos_central - - symantec_endpoint - system - tcp - - tenable_io - - tenable_sc - - ti_abusech - - ti_anomali - - ti_cybersixgill - - ti_misp - - ti_otx - - ti_rapid7_threat_command - - ti_recordedfuture - - ti_threatq - - trendmicro - - trend_micro_vision_one - udp - - vsphere - windows - winlog - - zscaler_zia - - zscaler_zpa - - 1password optional_integrations: sublime_platform: enabled_nodes: [] From ecf094f68494b9114b6692064b3e1b9798f314c6 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 26 Dec 2024 16:18:04 -0600 Subject: [PATCH 003/120] WIP: support all es fleet integrations Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- ...o-elastic-fleet-optional-integrations-load | 102 ++++++++++++++++ salt/elasticfleet/defaults.yaml | 1 + .../integration-defaults.map.jinja | 78 +++++++++++++ salt/elasticfleet/integration-defaults.yaml | 46 ++++++++ salt/elasticfleet/soc_elasticfleet.yaml | 5 + .../tools/sbin/so-elastic-fleet-common | 9 ++ .../tools/sbin/so-elastic-fleet-package-list | 2 +- .../integration-templates.map.jinja | 110 ++++++++++++++++++ salt/elasticsearch/template.map.jinja | 9 ++ 9 files changed, 361 insertions(+), 1 deletion(-) create mode 100644 salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load create mode 100644 salt/elasticfleet/integration-defaults.map.jinja create mode 100644 salt/elasticfleet/integration-defaults.yaml create mode 100644 salt/elasticsearch/integration-templates.map.jinja diff --git a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load b/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load new file mode 100644 index 000000000..d94b006ad --- /dev/null +++ b/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load @@ -0,0 +1,102 @@ +#!/bin/bash + +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use +# this file except in compliance with the Elastic License 2.0. + +. /usr/sbin/so-common +. /usr/sbin/so-elastic-fleet-common + +# Check that /opt/so/state/estemplates.txt exists to signal that Elasticsearch +# has completed its first run of core-only integrations/indices/components/ilm +STATE_FILE_SUCCESS=/opt/so/state/estemplates.txt +INSTALLED_PACKAGE_LIST=/tmp/esfleet_installed_packages.json +BULK_INSTALL_PACKAGE_LIST=/tmp/esfleet_bulk_install.json +BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json +PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json + +SKIP_SUBSCRIPTION=true +PENDING_UPDATE=false + +version_conversion(){ + version=$1 + echo "$version" | awk -F '.' '{ printf("%d%03d%03d\n", $1, $2, $3); }' +} + +compare_versions() { + version1=$1 + version2=$2 + + # Convert versions to numbers + num1=$(version_conversion "$version1") + num2=$(version_conversion "$version2") + + # Compare using bc + if (( $(echo "$num1 < $num2" | bc -l) )); then + echo "less" + elif (( $(echo "$num1 > $num2" | bc -l) )); then + echo "greater" + else + echo "equal" + fi +} + +if [[ -f $STATE_FILE_SUCCESS ]]; then + if retry 3 1 "curl -s -K /opt/so/conf/elasticsearch/curl.config --output /dev/null --silent --head --fail localhost:5601/api/fleet/epm/packages"; then + # Package_list contains all NON-beta integrations. + latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) + echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST + rm -f $INSTALLED_PACKAGE_LIST + echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST + + cat "$INSTALLED_PACKAGE_LIST" | jq -c '.packages[]' | while read -r package; do + # get package details + package_name=$(echo "$package" | jq -r '.name') + latest_version=$(echo "$package" | jq -r '.latest_version') + installed_version=$(echo "$package" | jq -r '.installed_version') + subscription=$(echo "$package" | jq -r '.subscription') + bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) + + if [ $SKIP_SUBSCRIPTION ] && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + # pass over integrations that require non-basic elastic license + continue + else + if [ -n "$installed_version" ]; then + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is not up to date... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + else + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + fi + done + + if [ $PENDING_UPDATE ]; then + # Run bulk install of packages + # elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + + # Write out file for generating index/component/ilm templates + latest_installed_package_list=$(elastic_fleet_installed_packages) + echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS + + else + echo "Elastic integrations don't appear to need installation/updating..." + exit 0 + fi + + else + # This is the installation of add-on integrations and upgrade of existing integrations. Exiting without error, next highstate will attempt to re-run. + echo "Elastic Fleet does not appear to be responding... Exiting... " + exit 0 + fi +else + # This message will appear when an update to core integration is made and this script is run at the same time as + # elasticsearch.enabled -> detects change to core index settings -> deletes estemplates.txt + echo "Elasticsearch may not be fully configured yet or is currently updating core index settings." + exit 0 +fi diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 41c50a96d..a0f509136 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -10,6 +10,7 @@ elasticfleet: grid_enrollment: '' defend_filters: enable_auto_configuration: False + subscription_integrations: False logging: zeek: excluded: diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja new file mode 100644 index 000000000..9977856c4 --- /dev/null +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -0,0 +1,78 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use + this file except in compliance with the Elastic License 2.0. #} + + +{% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} +{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} + +{% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} +{% set ADDON_INTEGRATION_DEFAULTS = {} %} + +{% for pkg in ADDON_PACKAGE_COMPONENTS %} +{% if pkg.name in CORE_ESFLEET_PACKAGES %} +{# skip core integrations #} +{% elif pkg.name not in CORE_ESFLEET_PACKAGES %} +{# generate defaults for each integration #} +{% if pkg.es_index_patterns is defined and pkg.es_index_patterns is not none %} +{% for pattern in pkg.es_index_patterns %} +{% set integration_key = "so-logs-" ~ pkg.name ~ "_x_" ~ pattern.title %} +{% set integration_defaults = { + "index_sorting": false, + "index_template": { + "composed_of": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@package", "logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "data_stream": { + "hidden": false, + "allow_custom_routing": false + }, + "ignore_missing_component_templates": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom"], + "index_patterns": [pattern.name], + "priority": 501, + "template": { + "settings": { + "index": { + "lifecycle": {"name": "so-logs-" ~ pkg.name ~ "." ~ pattern.title ~ "-logs"}, + "number_of_replicas": 0 + } + } + } + }, + "policy": { + "phases": { + "cold": { + "actions": { + "set_priority": {"priority": 0} + }, + "min_age": "60d" + }, + "delete": { + "actions": { + "delete": {} + }, + "min_age": "365d" + }, + "hot": { + "actions": { + "rollover": { + "max_age": "30d", + "max_primary_shard_size": "50gb" + }, + "set_priority": {"priority": 100} + }, + "min_age": "0ms" + }, + "warm": { + "actions": { + "set_priority": {"priority": 50} + }, + "min_age": "30d" + } + } + } + } %} +{% do ADDON_INTEGRATION_DEFAULTS.update({integration_key: integration_defaults}) %} +{% endfor %} +{% endif %} +{% endif %} +{% endfor %} \ No newline at end of file diff --git a/salt/elasticfleet/integration-defaults.yaml b/salt/elasticfleet/integration-defaults.yaml new file mode 100644 index 000000000..98bbd13b7 --- /dev/null +++ b/salt/elasticfleet/integration-defaults.yaml @@ -0,0 +1,46 @@ +so-logs-INTPLACEHOLDER_x_COMPLACEHOLDER: + index_sorting: False + index_template: + composed_of: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@package" + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_COMPLACEHOLDER_templates: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" + index_patterns: + - "logs-INTPLACEHOLDER.COMPLACEHOLDER-*" + priority: 501 + template: + settings: + index: + lifecycle: + name: "so-logs-INTPLACEHOLDER.COMPLACEHOLDER-logs" + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: "60d" + delete: + actions: + delete: {} + min_age: "365d" + hot: + actions: + rollover: + max_age: "30d" + max_primary_shard_size: "50gb" + set_priority: + priority: 100 + min_age: "0ms" + warm: + actions: + set_priority: + priority: 50 + min_age: "30d" \ No newline at end of file diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 0b32628ea..7ca59401f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -40,6 +40,11 @@ elasticfleet: global: True helpLink: elastic-fleet.html advanced: True + subscription_integrations: + description: Enable the installation of integrations that require an Elastic license. + global: True + forcedType: bool + helpLink: elastic-fleet.html server: custom_fqdn: description: Custom FQDN for Agents to connect to. One per line. diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common index 296e578fc..7e1e4b790 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-common +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-common @@ -97,11 +97,20 @@ elastic_fleet_package_install() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"force":true}' "localhost:5601/api/fleet/epm/packages/$PKG/$VERSION" } +elastic_fleet_bulk_package_install() { + BULK_PKG_LIST=$1 + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d@$1 "localhost:5601/api/fleet/epm/packages/_bulk" +} + elastic_fleet_package_is_installed() { PACKAGE=$1 curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' "localhost:5601/api/fleet/epm/packages/$PACKAGE" | jq -r '.item.status' } +elastic_fleet_installed_packages() { + curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET -H 'kbn-xsrf: true' -H 'Content-Type: application/json' "localhost:5601/api/fleet/epm/packages/installed?perPage=300" +} + elastic_fleet_agent_policy_ids() { curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/agent_policies" | jq -r .items[].id if [ $? -ne 0 ]; then diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list index 7e68c6e83..a52920a42 100755 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list @@ -10,6 +10,6 @@ SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}') # List configured package policies -curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq +curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages?prerelease=true" -H 'kbn-xsrf: true' | jq echo diff --git a/salt/elasticsearch/integration-templates.map.jinja b/salt/elasticsearch/integration-templates.map.jinja new file mode 100644 index 000000000..59a9222c5 --- /dev/null +++ b/salt/elasticsearch/integration-templates.map.jinja @@ -0,0 +1,110 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} +{% set packages = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} +{% set INTEGRATION_INDEX_SETTINGS = {} %} + + +{% set default_settings = { + 'index_sorting': false, + 'index_template': { + 'data_stream': { + 'allow_custom_routing': false, + 'hidden': false + }, + 'priority': 501, + 'template': { + 'settings': { + 'index': { + 'number_of_replicas': 0 + } + } + } + }, + 'policy': { + 'phases': { + 'cold': { + 'actions': { + 'set_priority': { + 'priority': 0 + } + }, + 'min_age': '60d' + }, + 'delete': { + 'actions': { + 'delete': {} + }, + 'min_age': '365d' + }, + 'hot': { + 'actions': { + 'rollover':{ + 'max_age': '30d', + 'max_primary_shard_size': '50gb' + }, + 'set_priority': { + 'priority': 100 + } + }, + 'min_age': '0ms' + }, + 'warm': { + 'actions': { + 'set_priority': { + 'priority': 50 + } + }, + 'min_age': '30d' + } + } + } +} %} + +{# Create template for each package component from elasticfleet/defaults.yaml #} +{% for package in packages %} + {% for pkg_name, components in package.items() %} + {% if components is not none %} + {% for component in components %} + {% set component_dot = component.replace('_x_', '.') %} + {% set template_name = 'so-logs-' ~ component %} + + {% set template = { + 'index_sorting': default_settings.index_sorting, + 'index_template': { + 'composed_of': [ + 'logs-' ~ component_dot ~ '@package', + 'logs-' ~ component_dot ~ '@custom', + 'so-fleet-_globals-1', + 'so-fleet_agent_id_verification-1' + ], + 'data_stream': default_settings.index_template.data_stream, + 'ignore_missing_component_templates': [ + 'logs-' ~ component_dot ~ '@custom' + ], + 'index_patterns': [ + 'logs-' ~ component_dot ~ '-*' + ], + 'priority': default_settings.index_template.priority, + 'template': { + 'settings': { + 'index': { + 'lifecycle': { + 'name': 'so-logs-' ~ component_dot ~ '-logs' + }, + 'number_of_replicas': default_settings.index_template.template.settings.index.number_of_replicas + } + } + } + }, + 'policy': default_settings.policy + } %} + + {% do INTEGRATION_INDEX_SETTINGS.update({template_name: template}) %} + {% endfor %} + {% endif %} + {% endfor %} +{% endfor %} \ No newline at end of file diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index 507ea533d..c53349f18 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -14,6 +14,15 @@ {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} +{# start generation of integration default index_settings #} +{% if salt['file.file_exists']('/opt/so/state/estemplates.txt') %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} +{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} +{% endfor %} +{% endif %} +{# end generation of integration default index_settings #} + {% set ES_INDEX_SETTINGS_GLOBAL_OVERRIDES = {} %} {% for index in ES_INDEX_SETTINGS_ORIG.keys() %} {% do ES_INDEX_SETTINGS_GLOBAL_OVERRIDES.update({index: salt['defaults.merge'](ELASTICSEARCHDEFAULTS.elasticsearch.index_settings[index], PILLAR_GLOBAL_OVERRIDES, in_place=False)}) %} From cdd4a1ff1fb6b6fc2c7b95651593746713d8b795 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 3 Jan 2025 16:06:22 -0600 Subject: [PATCH 004/120] fixes addon integration map file Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../integration-defaults.map.jinja | 66 ++++++- ...o-elastic-fleet-optional-integrations-load | 2 +- salt/elasticsearch/defaults.yaml | 184 ------------------ salt/elasticsearch/enabled.sls | 11 +- .../integration-templates.map.jinja | 110 ----------- salt/elasticsearch/template.map.jinja | 2 +- 6 files changed, 70 insertions(+), 305 deletions(-) rename salt/{elastic-fleet-package-registry/tools => elasticfleet/tools/sbin}/so-elastic-fleet-optional-integrations-load (98%) delete mode 100644 salt/elasticsearch/integration-templates.map.jinja diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 9977856c4..0de400b26 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -10,6 +10,44 @@ {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} +{# Some fleet integrations don't follow the standard naming convention #} +{% set WEIRD_INTEGRATIONS = { + 'awsfirehose.logs': 'awsfirehose', + 'cribl.logs': 'cribl', + 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', + 'azure_application_insights.app_insights': 'azure.app_insights', + 'azure_application_insights.app_state': 'azure.app_state', + 'azure_billing.billing': 'azure.billing', + 'azure_functions.metrics': 'azure.function', + 'azure_metrics.compute_vm_scaleset': 'azure.compute_vm_scaleset', + 'azure_metrics.compute_vm': 'azure.compute_vm', + 'azure_metrics.container_instance': 'azure.container_instance', + 'azure_metrics.container_registry': 'azure.container_registry', + 'azure_metrics.container_service': 'azure.container_service', + 'azure_metrics.database_account': 'azure.database_account', + 'azure_metrics.monitor': 'azure.monitor', + 'azure_metrics.storage_account': 'azure.storage_account', + 'azure_openai.metrics': 'azure.open_ai', + 'beat.state': 'beats.stack_monitoring.state', + 'beat.stats': 'beats.stack_monitoring.stats', + 'enterprisesearch.health': 'enterprisesearch.stack_monitoring.health', + 'enterprisesearch.stats': 'enterprisesearch.stack_monitoring.stats', + 'kibana.cluster_actions': 'kibana.stack_monitoring.cluster_actions', + 'kibana.cluster_rules': 'kibana.stack_monitoring.cluster_rules', + 'kibana.node_actions': 'kibana.stack_monitoring.node_actions', + 'kibana.node_rules': 'kibana.stack_monitoring.node_rules', + 'kibana.stats': 'kibana.stack_monitoring.stats', + 'kibana.status': 'kibana.stack_monitoring.status', + 'logstash.node_cel': 'logstash.stack_monitoring.node', + 'logstash.node_stats': 'logstash.stack_monitoring.node_stats', + 'synthetics.browser': 'synthetics-browser', + 'synthetics.browser_network': 'synthetics-browser.network', + 'synthetics.browser_screenshot': 'synthetics-browser.screenshot', + 'synthetics.http': 'synthetics-http', + 'synthetics.icmp': 'synthetics-icmp', + 'synthetics.tcp': 'synthetics-tcp' + } %} + {% for pkg in ADDON_PACKAGE_COMPONENTS %} {% if pkg.name in CORE_ESFLEET_PACKAGES %} {# skip core integrations #} @@ -17,22 +55,36 @@ {# generate defaults for each integration #} {% if pkg.es_index_patterns is defined and pkg.es_index_patterns is not none %} {% for pattern in pkg.es_index_patterns %} -{% set integration_key = "so-logs-" ~ pkg.name ~ "_x_" ~ pattern.title %} -{% set integration_defaults = { +{% if "metrics-" in pattern.name %} +{% set integration_type = "metrics-" %} +{% elif "logs-" in pattern.name %} +{% set integration_type = "logs-" %} +{% else %} +{% set integration_type = "" %} +{% endif %} +{% set component_name = pkg.name ~ "." ~ pattern.title %} +{# fix weirdly named components #} +{% if component_name in WEIRD_INTEGRATIONS %} +{% set component_name = WEIRD_INTEGRATIONS[component_name] %} +{% endif %} +{% set integration_key = "so-" ~ integration_type ~ component_name %} + +{# Default integration settings #} +{% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@package", "logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { - "hidden": false, - "allow_custom_routing": false + "allow_custom_routing": false, + "hidden": false }, - "ignore_missing_component_templates": ["logs-" ~ pkg.name ~ "." ~ pattern.title ~ "@custom"], + "ignore_missing_component_templates": [integration_type ~ component_name ~ "@custom"], "index_patterns": [pattern.name], "priority": 501, "template": { "settings": { "index": { - "lifecycle": {"name": "so-logs-" ~ pkg.name ~ "." ~ pattern.title ~ "-logs"}, + "lifecycle": {"name": "so-" ~ integration_type ~ component_name ~ "-logs"}, "number_of_replicas": 0 } } diff --git a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load similarity index 98% rename from salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load rename to salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index d94b006ad..5fa14c5fc 100644 --- a/salt/elastic-fleet-package-registry/tools/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -78,7 +78,7 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then if [ $PENDING_UPDATE ]; then # Run bulk install of packages - # elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST # Write out file for generating index/component/ilm templates latest_installed_package_list=$(elastic_fleet_installed_packages) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index e7a9a286c..32d9c431e 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -3297,190 +3297,6 @@ elasticsearch: index: mode: time_series number_of_replicas: 0 - so-metrics-nginx_x_stubstatus: - index_sorting: false - index_template: - composed_of: - - metrics-nginx.stubstatus@package - - metrics-nginx.stubstatus@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-nginx.stubstatus@custom - index_patterns: - - metrics-nginx.stubstatus-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-nginx.stubstatus-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_datastore: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.datastore@package - - metrics-vsphere.datastore@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.datastore@custom - index_patterns: - - metrics-vsphere.datastore-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.datastore-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_host: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.host@package - - metrics-vsphere.host@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.host@custom - index_patterns: - - metrics-vsphere.host-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.host-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d - so-metrics-vsphere_x_virtualmachine: - index_sorting: false - index_template: - composed_of: - - metrics-vsphere.virtualmachine@package - - metrics-vsphere.virtualmachine@custom - - so-fleet_globals-1 - - so-fleet_agent_id_verification-1 - data_stream: - allow_custom_routing: false - hidden: false - ignore_missing_component_templates: - - metrics-vsphere.virtualmachine@custom - index_patterns: - - metrics-vsphere.virtualmachine-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-metrics-vsphere.virtualmachine-logs - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: 60d - delete: - actions: - delete: {} - min_age: 365d - hot: - actions: - rollover: - max_age: 30d - max_primary_shard_size: 50gb - set_priority: - priority: 100 - min_age: 0ms - warm: - actions: - set_priority: - priority: 50 - min_age: 30d so-redis: index_sorting: false index_template: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index 48280c506..fb3f877df 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -151,7 +151,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: {% endfor %} {% endif %} -{% if GLOBALS.role in GLOBALS.manager_roles %} +{% if GLOBALS.role in GLOBALS.manager_roles %} so-es-cluster-settings: cmd.run: - name: /usr/sbin/so-elasticsearch-cluster-settings @@ -160,7 +160,7 @@ so-es-cluster-settings: - require: - docker_container: so-elasticsearch - file: elasticsearch_sbin_jinja -{% endif %} +{% endif %} so-elasticsearch-ilm-policy-load: cmd.run: @@ -172,6 +172,13 @@ so-elasticsearch-ilm-policy-load: - onchanges: - file: so-elasticsearch-ilm-policy-load-script +configure-addon-fleet-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-optional-integrations-load + - cwd: /opt/so + - require: + - docker_container: so-elasticsearch + so-elasticsearch-templates-reload: file.absent: - name: /opt/so/state/estemplates.txt diff --git a/salt/elasticsearch/integration-templates.map.jinja b/salt/elasticsearch/integration-templates.map.jinja deleted file mode 100644 index 59a9222c5..000000000 --- a/salt/elasticsearch/integration-templates.map.jinja +++ /dev/null @@ -1,110 +0,0 @@ -{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at - https://securityonion.net/license; you may not use this file except in compliance with the - Elastic License 2.0. #} - -{% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% set packages = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} -{% set INTEGRATION_INDEX_SETTINGS = {} %} - - -{% set default_settings = { - 'index_sorting': false, - 'index_template': { - 'data_stream': { - 'allow_custom_routing': false, - 'hidden': false - }, - 'priority': 501, - 'template': { - 'settings': { - 'index': { - 'number_of_replicas': 0 - } - } - } - }, - 'policy': { - 'phases': { - 'cold': { - 'actions': { - 'set_priority': { - 'priority': 0 - } - }, - 'min_age': '60d' - }, - 'delete': { - 'actions': { - 'delete': {} - }, - 'min_age': '365d' - }, - 'hot': { - 'actions': { - 'rollover':{ - 'max_age': '30d', - 'max_primary_shard_size': '50gb' - }, - 'set_priority': { - 'priority': 100 - } - }, - 'min_age': '0ms' - }, - 'warm': { - 'actions': { - 'set_priority': { - 'priority': 50 - } - }, - 'min_age': '30d' - } - } - } -} %} - -{# Create template for each package component from elasticfleet/defaults.yaml #} -{% for package in packages %} - {% for pkg_name, components in package.items() %} - {% if components is not none %} - {% for component in components %} - {% set component_dot = component.replace('_x_', '.') %} - {% set template_name = 'so-logs-' ~ component %} - - {% set template = { - 'index_sorting': default_settings.index_sorting, - 'index_template': { - 'composed_of': [ - 'logs-' ~ component_dot ~ '@package', - 'logs-' ~ component_dot ~ '@custom', - 'so-fleet-_globals-1', - 'so-fleet_agent_id_verification-1' - ], - 'data_stream': default_settings.index_template.data_stream, - 'ignore_missing_component_templates': [ - 'logs-' ~ component_dot ~ '@custom' - ], - 'index_patterns': [ - 'logs-' ~ component_dot ~ '-*' - ], - 'priority': default_settings.index_template.priority, - 'template': { - 'settings': { - 'index': { - 'lifecycle': { - 'name': 'so-logs-' ~ component_dot ~ '-logs' - }, - 'number_of_replicas': default_settings.index_template.template.settings.index.number_of_replicas - } - } - } - }, - 'policy': default_settings.policy - } %} - - {% do INTEGRATION_INDEX_SETTINGS.update({template_name: template}) %} - {% endfor %} - {% endif %} - {% endfor %} -{% endfor %} \ No newline at end of file diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index c53349f18..c1ff2cb24 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -15,7 +15,7 @@ {% set ES_INDEX_SETTINGS_ORIG = ELASTICSEARCHDEFAULTS.elasticsearch.index_settings %} {# start generation of integration default index_settings #} -{% if salt['file.file_exists']('/opt/so/state/estemplates.txt') %} +{% if salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') %} {% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} {% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} {% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} From 9fe3f6042fec1b65aeaa8809dc4fc1a352434e26 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 10:44:22 -0600 Subject: [PATCH 005/120] Remove individual integrations ip mappings component template. Replaced with global mappings Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../integration-defaults.map.jinja | 2 +- .../logs-1password.item_usages@custom.json | 36 ------------------ ...logs-1password.signin_attempts@custom.json | 36 ------------------ .../logs-apache.access@custom.json | 36 ------------------ .../logs-apache.error@custom.json | 36 ------------------ .../elastic-agent/logs-auditd.log@custom.json | 36 ------------------ .../elastic-agent/logs-auth0.logs@custom.json | 36 ------------------ .../logs-aws.cloudfront_logs@custom.json | 36 ------------------ .../logs-aws.cloudtrail@custom.json | 36 ------------------ .../logs-aws.cloudwatch_logs@custom.json | 36 ------------------ .../logs-aws.ec2_logs@custom.json | 36 ------------------ .../logs-aws.elb_logs@custom.json | 36 ------------------ .../logs-aws.firewall_logs@custom.json | 36 ------------------ .../logs-aws.guardduty@custom.json | 36 ------------------ .../logs-aws.inspector@custom.json | 36 ------------------ .../logs-aws.route53_public_logs@custom.json | 36 ------------------ ...logs-aws.route53_resolver_logs@custom.json | 36 ------------------ .../logs-aws.s3access@custom.json | 36 ------------------ .../logs-aws.securityhub_findings@custom.json | 36 ------------------ .../logs-aws.securityhub_insights@custom.json | 36 ------------------ .../logs-aws.vpcflow@custom.json | 36 ------------------ .../elastic-agent/logs-aws.waf@custom.json | 36 ------------------ .../logs-azure.activitylogs@custom.json | 36 ------------------ ...logs-azure.application_gateway@custom.json | 36 ------------------ .../logs-azure.auditlogs@custom.json | 36 ------------------ .../logs-azure.eventhub@custom.json | 36 ------------------ .../logs-azure.firewall_logs@custom.json | 36 ------------------ ...logs-azure.identity_protection@custom.json | 36 ------------------ .../logs-azure.platformlogs@custom.json | 36 ------------------ .../logs-azure.provisioning@custom.json | 36 ------------------ .../logs-azure.signinlogs@custom.json | 36 ------------------ .../logs-azure.springcloudlogs@custom.json | 36 ------------------ .../logs-barracuda.waf@custom.json | 36 ------------------ ...arracuda_cloudgen_firewall.log@custom.json | 36 ------------------ .../logs-carbonblack_edr.log@custom.json | 36 ------------------ .../elastic-agent/logs-cef.log@custom.json | 36 ------------------ .../logs-checkpoint.firewall@custom.json | 36 ------------------ .../logs-cisco_asa.log@custom.json | 36 ------------------ .../logs-cisco_duo.admin@custom.json | 36 ------------------ .../logs-cisco_duo.auth@custom.json | 36 ------------------ ...s-cisco_duo.offline_enrollment@custom.json | 36 ------------------ .../logs-cisco_duo.summary@custom.json | 36 ------------------ .../logs-cisco_duo.telephony@custom.json | 36 ------------------ .../logs-cisco_ftd.log@custom.json | 36 ------------------ .../logs-cisco_ios.log@custom.json | 36 ------------------ .../logs-cisco_ise.log@custom.json | 36 ------------------ .../logs-cisco_meraki.events@custom.json | 36 ------------------ .../logs-cisco_meraki.log@custom.json | 36 ------------------ ...cisco_secure_email_gateway.log@custom.json | 36 ------------------ .../logs-cisco_umbrella.log@custom.json | 36 ------------------ .../logs-citrix_adc.interface@custom.json | 36 ------------------ .../logs-citrix_adc.lbvserver@custom.json | 36 ------------------ .../logs-citrix_adc.service@custom.json | 36 ------------------ .../logs-citrix_adc.system@custom.json | 36 ------------------ .../logs-citrix_adc.vpn@custom.json | 36 ------------------ .../logs-citrix_waf.log@custom.json | 36 ------------------ .../logs-cloudflare.audit@custom.json | 36 ------------------ .../logs-cloudflare.logpull@custom.json | 36 ------------------ .../logs-crowdstrike.alert@custom.json | 36 ------------------ .../logs-crowdstrike.falcon@custom.json | 36 ------------------ .../logs-crowdstrike.fdr@custom.json | 36 ------------------ .../logs-crowdstrike.host@custom.json | 36 ------------------ ...ogs-darktrace.ai_analyst_alert@custom.json | 36 ------------------ ...s-darktrace.model_breach_alert@custom.json | 36 ------------------ ...-darktrace.system_status_alert@custom.json | 36 ------------------ .../logs-f5_bigip.log@custom.json | 36 ------------------ .../elastic-agent/logs-fim.event@custom.json | 36 ------------------ .../elastic-agent/logs-fireeye.nx@custom.json | 36 ------------------ .../logs-fortinet.clientendpoint@custom.json | 36 ------------------ .../logs-fortinet.firewall@custom.json | 36 ------------------ .../logs-fortinet.fortimail@custom.json | 36 ------------------ .../logs-fortinet.fortimanager@custom.json | 36 ------------------ .../logs-fortinet_fortigate.log@custom.json | 36 ------------------ .../elastic-agent/logs-gcp.audit@custom.json | 36 ------------------ .../elastic-agent/logs-gcp.dns@custom.json | 36 ------------------ .../logs-gcp.firewall@custom.json | 36 ------------------ .../logs-gcp.loadbalancing_logs@custom.json | 36 ------------------ .../logs-gcp.vpcflow@custom.json | 36 ------------------ .../logs-github.audit@custom.json | 36 ------------------ .../logs-github.code_scanning@custom.json | 36 ------------------ .../logs-github.dependabot@custom.json | 36 ------------------ .../logs-github.issues@custom.json | 36 ------------------ .../logs-github.secret_scanning@custom.json | 36 ------------------ ..._workspace.access_transparency@custom.json | 36 ------------------ .../logs-google_workspace.admin@custom.json | 36 ------------------ .../logs-google_workspace.alert@custom.json | 36 ------------------ ...workspace.context_aware_access@custom.json | 36 ------------------ .../logs-google_workspace.device@custom.json | 36 ------------------ .../logs-google_workspace.drive@custom.json | 36 ------------------ .../logs-google_workspace.gcp@custom.json | 36 ------------------ ...gle_workspace.group_enterprise@custom.json | 36 ------------------ .../logs-google_workspace.groups@custom.json | 36 ------------------ .../logs-google_workspace.login@custom.json | 36 ------------------ .../logs-google_workspace.rules@custom.json | 36 ------------------ .../logs-google_workspace.saml@custom.json | 36 ------------------ .../logs-google_workspace.token@custom.json | 36 ------------------ ...google_workspace.user_accounts@custom.json | 36 ------------------ .../elastic-agent/logs-iis.access@custom.json | 36 ------------------ .../elastic-agent/logs-iis.error@custom.json | 36 ------------------ .../logs-imperva_cloud_waf.event@custom.json | 36 ------------------ .../logs-juniper.junos@custom.json | 36 ------------------ .../logs-juniper.netscreen@custom.json | 36 ------------------ .../logs-juniper.srx@custom.json | 36 ------------------ .../logs-juniper_srx.log@custom.json | 36 ------------------ .../logs-kafka_log.generic@custom.json | 36 ------------------ ...astpass.detailed_shared_folder@custom.json | 36 ------------------ .../logs-lastpass.event_report@custom.json | 36 ------------------ .../logs-lastpass.user@custom.json | 36 ------------------ .../logs-m365_defender.event@custom.json | 36 ------------------ .../logs-m365_defender.incident@custom.json | 36 ------------------ .../logs-m365_defender.log@custom.json | 36 ------------------ ...icrosoft_defender_endpoint.log@custom.json | 36 ------------------ .../logs-microsoft_dhcp.log@custom.json | 36 ------------------ ...logs-microsoft_sqlserver.audit@custom.json | 36 ------------------ .../logs-microsoft_sqlserver.log@custom.json | 36 ------------------ .../logs-mimecast.audit_events@custom.json | 36 ------------------ .../logs-mimecast.dlp_logs@custom.json | 36 ------------------ .../logs-mimecast.siem_logs@custom.json | 36 ------------------ ....threat_intel_malware_customer@custom.json | 36 ------------------ ...cast.threat_intel_malware_grid@custom.json | 36 ------------------ .../logs-mimecast.ttp_ap_logs@custom.json | 36 ------------------ .../logs-mimecast.ttp_ip_logs@custom.json | 36 ------------------ .../logs-mimecast.ttp_url_logs@custom.json | 36 ------------------ .../logs-mysql.error@custom.json | 36 ------------------ .../logs-mysql.slowlog@custom.json | 36 ------------------ .../logs-netflow.log@custom.json | 36 ------------------ .../logs-nginx.access@custom.json | 36 ------------------ .../logs-nginx.error@custom.json | 36 ------------------ .../elastic-agent/logs-o365.audit@custom.json | 36 ------------------ .../logs-okta.system@custom.json | 36 ------------------ .../elastic-agent/logs-panw.panos@custom.json | 36 ------------------ .../logs-pfsense.log@custom.json | 36 ------------------ ...-proofpoint_tap.clicks_blocked@custom.json | 36 ------------------ ...roofpoint_tap.clicks_permitted@custom.json | 36 ------------------ ...proofpoint_tap.message_blocked@custom.json | 36 ------------------ ...oofpoint_tap.message_delivered@custom.json | 36 ------------------ .../logs-pulse_connect_secure.log@custom.json | 36 ------------------ .../logs-sentinel_one.activity@custom.json | 36 ------------------ .../logs-sentinel_one.agent@custom.json | 36 ------------------ .../logs-sentinel_one.alert@custom.json | 36 ------------------ .../logs-sentinel_one.group@custom.json | 36 ------------------ .../logs-sentinel_one.threat@custom.json | 36 ------------------ .../elastic-agent/logs-snort.log@custom.json | 36 ------------------ .../elastic-agent/logs-snyk.audit@custom.json | 36 ------------------ .../logs-snyk.vulnerabilities@custom.json | 36 ------------------ .../logs-sonicwall_firewall.log@custom.json | 36 ------------------ .../elastic-agent/logs-sophos.utm@custom.json | 36 ------------------ .../elastic-agent/logs-sophos.xg@custom.json | 36 ------------------ .../logs-sophos_central.alert@custom.json | 36 ------------------ .../logs-sophos_central.event@custom.json | 36 ------------------ .../logs-symantec_endpoint.log@custom.json | 36 ------------------ .../logs-tenable_io.asset@custom.json | 36 ------------------ .../logs-tenable_io.plugin@custom.json | 36 ------------------ .../logs-tenable_io.scan@custom.json | 36 ------------------ .../logs-tenable_io.vulnerability@custom.json | 36 ------------------ .../logs-tenable_sc.asset@custom.json | 36 ------------------ .../logs-tenable_sc.plugin@custom.json | 36 ------------------ .../logs-tenable_sc.vulnerability@custom.json | 36 ------------------ .../logs-ti_abusech.malware@custom.json | 36 ------------------ .../logs-ti_abusech.malwarebazaar@custom.json | 36 ------------------ .../logs-ti_abusech.threatfox@custom.json | 36 ------------------ .../logs-ti_abusech.url@custom.json | 36 ------------------ .../logs-ti_anomali.threatstream@custom.json | 36 ------------------ .../logs-ti_cybersixgill.threat@custom.json | 36 ------------------ .../logs-ti_misp.threat@custom.json | 36 ------------------ ...logs-ti_misp.threat_attributes@custom.json | 36 ------------------ .../logs-ti_opencti.indicator@custom.json | 36 ------------------ .../logs-ti_otx.pulses_subscribed@custom.json | 36 ------------------ .../logs-ti_otx.threat@custom.json | 36 ------------------ ...ti_rapid7_threat_command.alert@custom.json | 36 ------------------ ...s-ti_rapid7_threat_command.ioc@custom.json | 36 ------------------ ...7_threat_command.vulnerability@custom.json | 36 ------------------ ...rdedfuture.latest_ioc-template@custom.json | 36 ------------------ .../logs-ti_recordedfuture.threat@custom.json | 36 ------------------ .../logs-ti_threatq.threat@custom.json | 36 ------------------ ...s-trend_micro_vision_one.alert@custom.json | 36 ------------------ ...s-trend_micro_vision_one.audit@custom.json | 36 ------------------ ...end_micro_vision_one.detection@custom.json | 36 ------------------ .../logs-trendmicro.deep_security@custom.json | 36 ------------------ .../logs-vsphere.log@custom.json | 36 ------------------ .../logs-zscaler_zia.alerts@custom.json | 36 ------------------ .../logs-zscaler_zia.dns@custom.json | 36 ------------------ .../logs-zscaler_zia.firewall@custom.json | 36 ------------------ .../logs-zscaler_zia.tunnel@custom.json | 36 ------------------ .../logs-zscaler_zia.web@custom.json | 36 ------------------ ...caler_zpa.app_connector_status@custom.json | 36 ------------------ .../logs-zscaler_zpa.audit@custom.json | 36 ------------------ ...ogs-zscaler_zpa.browser_access@custom.json | 36 ------------------ ...logs-zscaler_zpa.user_activity@custom.json | 36 ------------------ .../logs-zscaler_zpa.user_status@custom.json | 36 ------------------ .../so-fleet_integrations.ip_mappings.json | 37 +++++++++++++++++++ 191 files changed, 38 insertions(+), 6805 deletions(-) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json create mode 100644 salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 0de400b26..cd88748b5 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -73,7 +73,7 @@ {% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { "allow_custom_routing": false, "hidden": false diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.item_usages@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-1password.signin_attempts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-apache.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-auditd.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-auth0.logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudfront_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudtrail@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.cloudwatch_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.ec2_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.elb_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.firewall_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.guardduty@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.inspector@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_public_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.route53_resolver_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.s3access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_findings@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.securityhub_insights@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.vpcflow@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-aws.waf@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.activitylogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.application_gateway@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.auditlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.eventhub@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.firewall_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.identity_protection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.platformlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.provisioning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.signinlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-azure.springcloudlogs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda.waf@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-barracuda_cloudgen_firewall.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-carbonblack_edr.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cef.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-checkpoint.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_asa.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.admin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.auth@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.offline_enrollment@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.summary@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_duo.telephony@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ftd.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ios.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_ise.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.events@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_meraki.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_secure_email_gateway.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cisco_umbrella.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.interface@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.lbvserver@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.service@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_adc.vpn@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-citrix_waf.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare.logpull@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.falcon@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.fdr@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.ai_analyst_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.model_breach_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-darktrace.system_status_alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-f5_bigip.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fim.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fireeye.nx@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.clientendpoint@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimail@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet.fortimanager@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-fortinet_fortigate.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.loadbalancing_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-gcp.vpcflow@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.code_scanning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.dependabot@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.issues@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-github.secret_scanning@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.access_transparency@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.admin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.context_aware_access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.device@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.drive@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.gcp@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.group_enterprise@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.groups@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.login@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.rules@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.saml@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.token@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-google_workspace.user_accounts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-iis.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-imperva_cloud_waf.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.junos@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.netscreen@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper.srx@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-juniper_srx.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-kafka_log.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.detailed_shared_folder@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.event_report@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-lastpass.user@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.incident@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-m365_defender.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_defender_endpoint.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_dhcp.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-microsoft_sqlserver.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.audit_events@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.dlp_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.siem_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_customer@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.threat_intel_malware_grid@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ap_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_ip_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mimecast.ttp_url_logs@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-mysql.slowlog@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-netflow.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-nginx.error@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-o365.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-okta.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-panw.panos@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-pfsense.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_blocked@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.clicks_permitted@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_blocked@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-proofpoint_tap.message_delivered@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-pulse_connect_secure.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.activity@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.agent@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.group@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sentinel_one.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snort.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-snyk.vulnerabilities@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sonicwall_firewall.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.utm@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos.xg@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-sophos_central.event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-symantec_endpoint.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.asset@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.plugin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.scan@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_io.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.asset@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.plugin@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-tenable_sc.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malware@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.malwarebazaar@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.threatfox@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_abusech.url@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_anomali.threatstream@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_cybersixgill.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_misp.threat_attributes@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.pulses_subscribed@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_otx.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.ioc@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_rapid7_threat_command.vulnerability@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.latest_ioc-template@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_recordedfuture.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_threatq.threat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-vsphere.log@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.alerts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.tunnel@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zia.web@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.app_connector_status@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.browser_access@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_activity@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-zscaler_zpa.user_status@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json new file mode 100644 index 000000000..3777e670c --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json @@ -0,0 +1,37 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } + } + \ No newline at end of file From 0d49dee46e33ae35648e5f5d4476e8fd539cd2ec Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:22:51 -0600 Subject: [PATCH 006/120] update version to foxtrot Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 580cd0c49..452820224 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.120 \ No newline at end of file +2.4.0-foxtrot \ No newline at end of file From 3d3f0460fad532c1a5e207fabe3f327dd4ea167b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 14:42:16 -0600 Subject: [PATCH 007/120] move addon integration script run to elasticfleet state Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticfleet/enabled.sls | 4 ++++ salt/elasticsearch/enabled.sls | 7 ------- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index f91074b39..5a52f3a41 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -151,6 +151,10 @@ so-elastic-fleet-integration-upgrade: cmd.run: - name: /usr/sbin/so-elastic-fleet-integration-upgrade +so-elastic-fleet-addon-integrations: + cmd.run: + - name: /usr/sbin/so-elastic-fleet-optional-integrations-load + {% if ELASTICFLEETMERGED.config.defend_filters.enable_auto_configuration %} so-elastic-defend-manage-filters-file-watch: cmd.run: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index fb3f877df..4ed4b1b98 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -172,13 +172,6 @@ so-elasticsearch-ilm-policy-load: - onchanges: - file: so-elasticsearch-ilm-policy-load-script -configure-addon-fleet-integrations: - cmd.run: - - name: /usr/sbin/so-elastic-fleet-optional-integrations-load - - cwd: /opt/so - - require: - - docker_container: so-elasticsearch - so-elasticsearch-templates-reload: file.absent: - name: /opt/so/state/estemplates.txt From a21535b0a2cf09eb1c587f3dde2c26cdddcda646 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 6 Jan 2025 21:33:07 -0600 Subject: [PATCH 008/120] run elasticsearch state to sync templates Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/manager/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fc0c7aca4..d48463737 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -527,6 +527,10 @@ post_to_2.4.111() { post_to_2.4.120() { update_elasticsearch_index_settings + + # Sync the newly generated index templates for elasticfleet integrations + salt-call state.apply elasticsearch queue=True + POSTVERSION=2.4.120 } @@ -736,6 +740,8 @@ up_to_2.4.120() { # New Grid Integration added this release rm -f /opt/so/state/eaintegrations.txt + + INSTALLEDVERSION=2.4.120 } From dab56f0882b4c3b01266a6268a147197d7eeff67 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 14 Jan 2025 15:24:59 -0600 Subject: [PATCH 009/120] update fleet-optional-integrations-load Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- ...o-elastic-fleet-optional-integrations-load | 54 +++++++++++-------- 1 file changed, 33 insertions(+), 21 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index 5fa14c5fc..6d87b958c 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -13,11 +13,16 @@ STATE_FILE_SUCCESS=/opt/so/state/estemplates.txt INSTALLED_PACKAGE_LIST=/tmp/esfleet_installed_packages.json BULK_INSTALL_PACKAGE_LIST=/tmp/esfleet_bulk_install.json BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json +BULK_INSTALL_OUTPUT=/opt/so/state/esfleet_bulk_install_results.json PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json SKIP_SUBSCRIPTION=true PENDING_UPDATE=false +# Integrations which are included in the package registry, but excluded from automatic installation via this script. +# Requiring some level of manual Elastic Stack configuration before installation +EXCLUDED_INTEGRATIONS=('apm') + version_conversion(){ version=$1 echo "$version" | awk -F '.' '{ printf("%d%03d%03d\n", $1, $2, $3); }' @@ -43,13 +48,13 @@ compare_versions() { if [[ -f $STATE_FILE_SUCCESS ]]; then if retry 3 1 "curl -s -K /opt/so/conf/elasticsearch/curl.config --output /dev/null --silent --head --fail localhost:5601/api/fleet/epm/packages"; then - # Package_list contains all NON-beta integrations. + # Package_list contains all integrations beta / non-beta. latest_package_list=$(/usr/sbin/so-elastic-fleet-package-list) echo '{ "packages" : []}' > $BULK_INSTALL_PACKAGE_LIST rm -f $INSTALLED_PACKAGE_LIST echo $latest_package_list | jq '{packages: [.items[] | {name: .name, latest_version: .version, installed_version: .savedObject.attributes.install_version, subscription: .conditions.elastic.subscription }]}' >> $INSTALLED_PACKAGE_LIST - cat "$INSTALLED_PACKAGE_LIST" | jq -c '.packages[]' | while read -r package; do + while read -r package; do # get package details package_name=$(echo "$package" | jq -r '.name') latest_version=$(echo "$package" | jq -r '.latest_version') @@ -57,28 +62,35 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then subscription=$(echo "$package" | jq -r '.subscription') bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) - if [ $SKIP_SUBSCRIPTION ] && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then - # pass over integrations that require non-basic elastic license - continue - else - if [ -n "$installed_version" ]; then - results=$(compare_versions "$latest_version" "$installed_version") - if [ $results == "greater" ]; then - echo "$package_name is not up to date... Adding to next update." - jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - PENDING_UPDATE=true - fi + if [[ ! "${EXCLUDED_INTEGRATIONS[@]}" =~ "$package_name" ]]; then + if $SKIP_SUBSCRIPTION && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + # pass over integrations that require non-basic elastic license + echo "$package_name integration requires an Elastic license of $subscription or greater... skipping" + continue else - echo "$package_name is not installed... Adding to next update." - jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - PENDING_UPDATE=true - fi - fi - done + if [[ "$installed_version" == "null" || -z "$installed_version" ]]; then + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST - if [ $PENDING_UPDATE ]; then + PENDING_UPDATE=true + else + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is at version $installed_version latest version is $latest_version... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + + PENDING_UPDATE=true + fi + fi + fi + else + echo "Skipping $package_name..." + fi + done <<< "$(jq -c '.packages[]' "$INSTALLED_PACKAGE_LIST")" + + if [ "$PENDING_UPDATE" = true ]; then # Run bulk install of packages - elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST + elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT # Write out file for generating index/component/ilm templates latest_installed_package_list=$(elastic_fleet_installed_packages) From 6331298eac1b17b7374bd5784de8202d3cb6ebd7 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 21 Jan 2025 10:49:54 -0600 Subject: [PATCH 010/120] remove individual @custom mappings. Moved over to so-fleet_integrations.ip_mappings-1 --- .../integration-defaults.map.jinja | 2 +- salt/elasticfleet/integration-defaults.yaml | 46 ------------------- salt/elasticsearch/defaults.yaml | 33 ++++++++++++- ...udflare_logpush.access_request@custom.json | 36 --------------- .../logs-cloudflare_logpush.audit@custom.json | 36 --------------- .../logs-cloudflare_logpush.casb@custom.json | 36 --------------- ...udflare_logpush.device_posture@custom.json | 36 --------------- .../logs-cloudflare_logpush.dns@custom.json | 36 --------------- ...loudflare_logpush.dns_firewall@custom.json | 36 --------------- ...udflare_logpush.firewall_event@custom.json | 36 --------------- ...cloudflare_logpush.gateway_dns@custom.json | 36 --------------- ...loudflare_logpush.gateway_http@custom.json | 36 --------------- ...dflare_logpush.gateway_network@custom.json | 36 --------------- ...loudflare_logpush.http_request@custom.json | 36 --------------- ...s-cloudflare_logpush.magic_ids@custom.json | 36 --------------- ...-cloudflare_logpush.nel_report@custom.json | 36 --------------- ...lare_logpush.network_analytics@custom.json | 36 --------------- ...dflare_logpush.network_session@custom.json | 36 --------------- ...oudflare_logpush.sinkhole_http@custom.json | 36 --------------- ...udflare_logpush.spectrum_event@custom.json | 36 --------------- ...oudflare_logpush.workers_trace@custom.json | 36 --------------- .../logs-elastic_agent.apm_server@custom.json | 36 --------------- .../logs-elastic_agent.auditbeat@custom.json | 36 --------------- .../logs-elastic_agent.cloudbeat@custom.json | 36 --------------- ...lastic_agent.endpoint_security@custom.json | 36 --------------- .../logs-elastic_agent.filebeat@custom.json | 36 --------------- ...ogs-elastic_agent.fleet_server@custom.json | 36 --------------- .../logs-elastic_agent.heartbeat@custom.json | 36 --------------- .../logs-elastic_agent.metricbeat@custom.json | 36 --------------- ...logs-elastic_agent.osquerybeat@custom.json | 36 --------------- .../logs-elastic_agent.packetbeat@custom.json | 36 --------------- .../logs-elastic_agent@custom.json | 43 ----------------- .../logs-endpoint.alerts@custom.json | 36 --------------- ...endpoint.diagnostic.collection@custom.json | 43 ----------------- .../logs-endpoint.events.api@custom.json | 36 --------------- .../logs-endpoint.events.file@custom.json | 36 --------------- .../logs-endpoint.events.library@custom.json | 36 --------------- .../logs-endpoint.events.network@custom.json | 36 --------------- .../logs-endpoint.events.process@custom.json | 36 --------------- .../logs-endpoint.events.registry@custom.json | 36 --------------- .../logs-endpoint.events.security@custom.json | 36 --------------- .../logs-http_endpoint.generic@custom.json | 36 --------------- .../logs-httpjson.generic@custom.json | 36 --------------- .../logs-system.application@custom.json | 36 --------------- .../logs-system.auth@custom.json | 36 --------------- .../logs-system.security@custom.json | 36 --------------- .../logs-system.system@custom.json | 36 --------------- .../logs-windows.forwarded@custom.json | 36 --------------- .../logs-windows.powershell@custom.json | 36 --------------- ...windows.powershell_operational@custom.json | 36 --------------- ...ogs-windows.sysmon_operational@custom.json | 36 --------------- .../logs-winlog.winlog@custom.json | 36 --------------- ... so-fleet_integrations.ip_mappings-1.json} | 0 53 files changed, 32 insertions(+), 1827 deletions(-) delete mode 100644 salt/elasticfleet/integration-defaults.yaml delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json rename salt/elasticsearch/templates/component/elastic-agent/{so-fleet_integrations.ip_mappings.json => so-fleet_integrations.ip_mappings-1.json} (100%) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index cd88748b5..09710a43c 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -73,7 +73,7 @@ {% set integration_defaults = { "index_sorting": false, "index_template": { - "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], + "composed_of": [integration_type ~ component_name ~ "@package", integration_type ~ component_name ~ "@custom", "so-fleet_integrations.ip_mappings-1", "so-fleet_globals-1", "so-fleet_agent_id_verification-1"], "data_stream": { "allow_custom_routing": false, "hidden": false diff --git a/salt/elasticfleet/integration-defaults.yaml b/salt/elasticfleet/integration-defaults.yaml deleted file mode 100644 index 98bbd13b7..000000000 --- a/salt/elasticfleet/integration-defaults.yaml +++ /dev/null @@ -1,46 +0,0 @@ -so-logs-INTPLACEHOLDER_x_COMPLACEHOLDER: - index_sorting: False - index_template: - composed_of: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@package" - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" - - "so-fleet_globals-1" - - "so-fleet_agent_id_verification-1" - data_stream: - hidden: false - allow_custom_routing: false - ignore_missing_COMPLACEHOLDER_templates: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER@custom" - index_patterns: - - "logs-INTPLACEHOLDER.COMPLACEHOLDER-*" - priority: 501 - template: - settings: - index: - lifecycle: - name: "so-logs-INTPLACEHOLDER.COMPLACEHOLDER-logs" - number_of_replicas: 0 - policy: - phases: - cold: - actions: - set_priority: - priority: 0 - min_age: "60d" - delete: - actions: - delete: {} - min_age: "365d" - hot: - actions: - rollover: - max_age: "30d" - max_primary_shard_size: "50gb" - set_priority: - priority: 100 - min_age: "0ms" - warm: - actions: - set_priority: - priority: 50 - min_age: "30d" \ No newline at end of file diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 32d9c431e..d39935485 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1119,6 +1119,7 @@ elasticsearch: - event-mappings - logs-elastic_agent@package - logs-elastic_agent@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1182,6 +1183,7 @@ elasticsearch: composed_of: - logs-elastic_agent.apm_server@package - logs-elastic_agent.apm_server@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1245,6 +1247,7 @@ elasticsearch: composed_of: - logs-elastic_agent.auditbeat@package - logs-elastic_agent.auditbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1308,6 +1311,7 @@ elasticsearch: composed_of: - logs-elastic_agent.cloudbeat@package - logs-elastic_agent.cloudbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: @@ -1369,6 +1373,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.endpoint_security@package - logs-elastic_agent.endpoint_security@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1427,6 +1432,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.filebeat@package - logs-elastic_agent.filebeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1485,6 +1491,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.fleet_server@package - logs-elastic_agent.fleet_server@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1539,6 +1546,7 @@ elasticsearch: composed_of: - logs-elastic_agent.heartbeat@package - logs-elastic_agent.heartbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 ignore_missing_component_templates: @@ -1600,6 +1608,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.metricbeat@package - logs-elastic_agent.metricbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1658,6 +1667,7 @@ elasticsearch: - event-mappings - logs-elastic_agent.osquerybeat@package - logs-elastic_agent.osquerybeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1715,6 +1725,7 @@ elasticsearch: composed_of: - logs-elastic_agent.packetbeat@package - logs-elastic_agent.packetbeat@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1779,6 +1790,7 @@ elasticsearch: - event-mappings - logs-endpoint.alerts@custom - logs-endpoint.alerts@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1837,6 +1849,7 @@ elasticsearch: - event-mappings - logs-endpoint.diagnostic.collection@custom - logs-endpoint.diagnostic.collection@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1895,6 +1908,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.api@custom - logs-endpoint.events.api@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -1953,6 +1967,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.file@custom - logs-endpoint.events.file@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2011,6 +2026,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.library@custom - logs-endpoint.events.library@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2069,6 +2085,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.network@custom - logs-endpoint.events.network@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2127,6 +2144,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.process@custom - logs-endpoint.events.process@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2185,6 +2203,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2243,6 +2262,7 @@ elasticsearch: - event-mappings - logs-endpoint.events.security@custom - logs-endpoint.events.security@package + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2300,13 +2320,13 @@ elasticsearch: composed_of: - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* @@ -2347,6 +2367,7 @@ elasticsearch: composed_of: - logs-httpjson.generic@package - logs-httpjson.generic@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2538,6 +2559,7 @@ elasticsearch: - event-mappings - logs-system.application@package - logs-system.application@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2586,6 +2608,7 @@ elasticsearch: - event-mappings - logs-system.auth@package - logs-system.auth@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2634,6 +2657,7 @@ elasticsearch: - event-mappings - logs-system.security@package - logs-system.security@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2730,6 +2754,7 @@ elasticsearch: - event-mappings - logs-system.system@package - logs-system.system@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 - so-system-mappings @@ -2777,6 +2802,7 @@ elasticsearch: composed_of: - logs-windows.forwarded@package - logs-windows.forwarded@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2823,6 +2849,7 @@ elasticsearch: composed_of: - logs-windows.powershell@package - logs-windows.powershell@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2869,6 +2896,7 @@ elasticsearch: composed_of: - logs-windows.powershell_operational@package - logs-windows.powershell_operational@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2915,6 +2943,7 @@ elasticsearch: composed_of: - logs-windows.sysmon_operational@package - logs-windows.sysmon_operational@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: @@ -2961,13 +2990,13 @@ elasticsearch: composed_of: - logs-winlog.winlog@package - logs-winlog.winlog@custom + - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 data_stream: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.access_request@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.audit@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.casb@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.device_posture@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.dns_firewall@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.firewall_event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_dns@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_http@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.gateway_network@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.http_request@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.magic_ids@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.nel_report@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_analytics@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.network_session@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.sinkhole_http@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.spectrum_event@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-cloudflare_logpush.workers_trace@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.apm_server@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.auditbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.cloudbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.endpoint_security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.filebeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.fleet_server@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.heartbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.metricbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.osquerybeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent.packetbeat@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json deleted file mode 100644 index d8d14a5a9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@custom.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.alerts@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json deleted file mode 100644 index 5bbe3c1fa..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@custom.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.api@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.file@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.library@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.network@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.process@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.registry@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.events.security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-http_endpoint.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-httpjson.generic@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.application@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.auth@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.security@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-system.system@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.forwarded@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.powershell_operational@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-windows.sysmon_operational@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json deleted file mode 100644 index 17319ab9f..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-winlog.winlog@custom.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "template": { - "mappings": { - "properties": { - "host": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "related": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "destination": { - "properties":{ - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties":{ - "ip": { - "type": "ip" - } - } - } - } - } - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json b/salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json similarity index 100% rename from salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings.json rename to salt/elasticsearch/templates/component/elastic-agent/so-fleet_integrations.ip_mappings-1.json From d779f7ae7f60c72108a27f0a66ebf447237ce538 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 10:13:01 -0600 Subject: [PATCH 011/120] add back missing component for http_endpoint_x_generic & winlog_x_winglog --- salt/elasticsearch/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index d39935485..77a5be232 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2327,6 +2327,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: + - logs-http_endpoint.generic@package - logs-http_endpoint.generic@custom index_patterns: - logs-http_endpoint.generic-* @@ -2997,6 +2998,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: + - logs-winlog.winlog@package - logs-winlog.winlog@custom index_patterns: - logs-winlog.winlog-* From 81ac1ebc08382d4a55b21a7066cc17be48c9308e Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:12:09 -0600 Subject: [PATCH 012/120] fixes merging local pillar /global overrides for generated index templates --- salt/elasticfleet/integration-defaults.map.jinja | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 09710a43c..30eda7081 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -67,7 +67,10 @@ {% if component_name in WEIRD_INTEGRATIONS %} {% set component_name = WEIRD_INTEGRATIONS[component_name] %} {% endif %} -{% set integration_key = "so-" ~ integration_type ~ component_name %} +{# component_name_x maintains the functionality of merging local pillar changes with generated 'defaults' via SOC UI #} +{% set component_name_x = component_name.replace(".","_x_") %} +{# pillar overrides/merge expects the key names to follow the naming in elasticsearch/defaults.yaml eg. so-logs-1password_x_item_usages . The _x_ is replaced later on in elasticsearch/template.map.jinja #} +{% set integration_key = "so-" ~ integration_type ~ component_name_x %} {# Default integration settings #} {% set integration_defaults = { From e0039a08ef435df402c0364f172dd9d4f02d5338 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 22 Jan 2025 13:57:26 -0600 Subject: [PATCH 013/120] fix forcedType typo --- salt/elasticsearch/soc_elasticsearch.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..48b8b2e27 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -166,7 +166,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True From 9738ef382c4c4cc3d4a24a584981e1103fcf72ef Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Jan 2025 08:12:02 -0500 Subject: [PATCH 014/120] Upgrade Elastic to 8.17.1 --- .../integrations/elastic-defend/elastic-defend-endpoints.json | 2 +- salt/elasticsearch/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 15f08a151..0348a0198 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -5,7 +5,7 @@ "package": { "name": "endpoint", "title": "Elastic Defend", - "version": "8.14.0" + "version": "8.17.0" }, "enabled": true, "policy_id": "endpoints-initial", diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 77a5be232..04198a160 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.14.3 + version: 8.17.1 index_clean: true config: action: From 5b8f8fb62f0dfbf7ce5692351a36f2a3250e0ba8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 23 Jan 2025 12:47:22 -0600 Subject: [PATCH 015/120] add/remove es annotations/defaults automagically Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/soc_elasticsearch.yaml | 6 +++ salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ 2 files changed, 65 insertions(+) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 48b8b2e27..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file From 97a3f130c8957e19cd6e833d6aa1532dbb8d18e3 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 23 Jan 2025 15:32:39 -0500 Subject: [PATCH 016/120] Update Elastic --- .../files/integrations/grid-nodes_general/import-evtx-logs.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index fb8c31040..bef0bf931 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.59.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-1.45.1\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.59.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.59.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-1.45.1\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.64.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.3.6\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.64.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.64.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.3.6\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] From a373d96c3c7b46ef56475dd0f6f674ec16ebfc6d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:03 -0600 Subject: [PATCH 017/120] run managed_soc_annotations.sls from manager state --- salt/manager/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index c4b2ad136..8de5d097a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -14,6 +14,7 @@ include: - manager.sync_es_users - manager.elasticsearch - manager.kibana + - manager.managed_soc_annotations repo_log_dir: file.directory: From 38b0276458261c9c1049d8e49b40c4f2d919d02c Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 13:45:18 -0600 Subject: [PATCH 018/120] remove reference to deleted file --- salt/elasticfleet/integration-defaults.map.jinja | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..6d31cc71f 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} From e994f3a220203a5fc4f3d04a65344c0faba859c4 Mon Sep 17 00:00:00 2001 From: Joshua Brower Date: Mon, 27 Jan 2025 14:48:50 -0500 Subject: [PATCH 019/120] Fix commits --- salt/elasticsearch/soc_elasticsearch.yaml | 8 ++- salt/manager/managed_soc_annotations.sls | 59 +++++++++++++++++++++++ salt/manager/tools/sbin/soup | 18 ++++++- 3 files changed, 82 insertions(+), 3 deletions(-) create mode 100644 salt/manager/managed_soc_annotations.sls diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 0d5d0ea28..adce41bff 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -77,6 +77,12 @@ elasticsearch: custom008: *pipelines custom009: *pipelines custom010: *pipelines + managed_integrations: + description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass + forcedType: "[]string" + global: True + advanced: True + helpLink: elasticsearch.html index_settings: global_overrides: index_template: @@ -166,7 +172,7 @@ elasticsearch: index_template: index_patterns: description: Patterns for matching multiple indices or tables. - forceType: "[]string" + forcedType: "[]string" multiline: True global: True advanced: True diff --git a/salt/manager/managed_soc_annotations.sls b/salt/manager/managed_soc_annotations.sls new file mode 100644 index 000000000..17621f973 --- /dev/null +++ b/salt/manager/managed_soc_annotations.sls @@ -0,0 +1,59 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{# Managed elasticsearch/soc_elasticsearch.yaml file for adding integration configuration items to UI #} +{% set managed_integrations = salt['pillar.get']('elasticsearch:managed_integrations', []) %} +{% if managed_integrations %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% set addon_integration_keys = ADDON_INTEGRATION_DEFAULTS.keys() %} +{% set matched_integration_names = [] %} +{% for k in addon_integration_keys %} +{% for i in managed_integrations %} +{% if i in k %} +{% do matched_integration_names.append(k) %} +{% endif %} +{% endfor %} +{% endfor %} +{% set es_soc_annotations = '/opt/so/saltstack/default/salt/elasticsearch/soc_elasticsearch.yaml' %} +{{ es_soc_annotations }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_soc_annotations) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% set input = index_settings.get('so-logs', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set _ = index_settings.update({k: input}) %} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} + +{# Managed elasticsearch/defaults.yaml file for enabling 'Revert to default' via SOC UI for newly added config items #} +{% set es_defaults = '/opt/so/saltstack/default/salt/elasticsearch/defaults.yaml' %} +{{ es_defaults }}: + file.serialize: + - dataset: + {% set data = salt['file.read'](es_defaults) | load_yaml %} + {% set es = data.get('elasticsearch', {}) %} + {% set index_settings = es.get('index_settings', {}) %} + {% for k in matched_integration_names %} + {% if k not in index_settings %} + {% set input = ADDON_INTEGRATION_DEFAULTS[k] %} + {% set _ = index_settings.update({k: input})%} + {% endif %} + {% endfor %} + {% for k in addon_integration_keys %} + {% if k not in matched_integration_names and k in index_settings %} + {% set _ = index_settings.pop(k) %} + {% endif %} + {% endfor %} + {{ data }} +{% endif %} \ No newline at end of file diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index c0a6a4359..b6cf38799 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -406,6 +406,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.4.100 ]] && up_to_2.4.110 [[ "$INSTALLEDVERSION" == 2.4.110 ]] && up_to_2.4.111 [[ "$INSTALLEDVERSION" == 2.4.111 ]] && up_to_2.4.120 + [[ "$INSTALLEDVERSION" == 2.4.120 ]] && up_to_2.4.130 true } @@ -429,6 +430,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.4.100 ]] && post_to_2.4.110 [[ "$POSTVERSION" == 2.4.110 ]] && post_to_2.4.111 [[ "$POSTVERSION" == 2.4.111 ]] && post_to_2.4.120 + [[ "$POSTVERSION" == 2.4.120 ]] && post_to_2.4.130 true } @@ -538,6 +540,11 @@ post_to_2.4.120() { POSTVERSION=2.4.120 } +post_to_2.4.130() { + echo "Nothing to apply" + POSTVERSION=2.4.130 +} + repo_sync() { echo "Sync the local repo." su socore -c '/usr/sbin/so-repo-sync' || fail "Unable to complete so-repo-sync." @@ -717,8 +724,8 @@ up_to_2.4.90() { } up_to_2.4.100() { - # Elastic Update for this release, so download Elastic Agent files - determine_elastic_agent_upgrade + echo "Nothing to do for 2.4.100" + INSTALLEDVERSION=2.4.100 } @@ -749,6 +756,13 @@ up_to_2.4.120() { INSTALLEDVERSION=2.4.120 } +up_to_2.4.130() { + # Elastic Update for this release, so download Elastic Agent files + determine_elastic_agent_upgrade + + INSTALLEDVERSION=2.4.130 +} + add_hydra_pillars() { mkdir -p /opt/so/saltstack/local/pillar/hydra touch /opt/so/saltstack/local/pillar/hydra/soc_hydra.sls From 49ab0751c0665436624b46a029f27510d4c21719 Mon Sep 17 00:00:00 2001 From: Joshua Brower Date: Mon, 27 Jan 2025 15:01:21 -0500 Subject: [PATCH 020/120] Remove uneeded import --- salt/elasticfleet/integration-defaults.map.jinja | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 30eda7081..a60eaae60 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -5,7 +5,6 @@ {% import_json '/opt/so/state/esfleet_package_components.json' as ADDON_PACKAGE_COMPONENTS %} {% import_yaml 'elasticfleet/defaults.yaml' as ELASTICFLEETDEFAULTS %} -{% import_yaml 'elasticfleet/integration-defaults.yaml' as INTEGRATIONDEFAULTS %} {% set CORE_ESFLEET_PACKAGES = ELASTICFLEETDEFAULTS.get('elasticfleet', {}).get('packages', {}) %} {% set ADDON_INTEGRATION_DEFAULTS = {} %} @@ -130,4 +129,4 @@ {% endfor %} {% endif %} {% endif %} -{% endfor %} \ No newline at end of file +{% endfor %} From d74b69d84d5933a57479152f5143963a39224f86 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 27 Jan 2025 16:34:33 -0600 Subject: [PATCH 021/120] add additional weird_integration --- salt/elasticfleet/integration-defaults.map.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticfleet/integration-defaults.map.jinja b/salt/elasticfleet/integration-defaults.map.jinja index 6d31cc71f..008efb615 100644 --- a/salt/elasticfleet/integration-defaults.map.jinja +++ b/salt/elasticfleet/integration-defaults.map.jinja @@ -12,6 +12,7 @@ {# Some fleet integrations don't follow the standard naming convention #} {% set WEIRD_INTEGRATIONS = { 'awsfirehose.logs': 'awsfirehose', + 'awsfirehose.metrics': 'aws.cloudwatch', 'cribl.logs': 'cribl', 'sentinel_one_cloud_funnel.logins': 'sentinel_one_cloud_funnel.login', 'azure_application_insights.app_insights': 'azure.app_insights', From 3b69ff9fc9ff552470b92b7c82287ac3fed9bbb0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 29 Jan 2025 14:02:45 -0600 Subject: [PATCH 022/120] integration policy update --- salt/manager/tools/sbin/soup | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index b6cf38799..89255f839 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -534,14 +534,16 @@ post_to_2.4.120() { # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' rollover_index "logs-suricata.alerts-so" - # Sync the newly generated index templates for elasticfleet integrations - salt-call state.apply elasticsearch queue=True - POSTVERSION=2.4.120 } post_to_2.4.130() { - echo "Nothing to apply" + # Integrations policies need to be updated + rm -f /opt/so/state/eaintegrations.txt + + # Sync the newly generated index templates for elasticfleet integrations + salt-call state.apply elasticsearch queue=True + POSTVERSION=2.4.130 } @@ -725,7 +727,7 @@ up_to_2.4.90() { up_to_2.4.100() { echo "Nothing to do for 2.4.100" - + INSTALLEDVERSION=2.4.100 } From 33f145a40b28f4430a11d4f5826c64f343a348b0 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 4 Feb 2025 08:58:36 -0600 Subject: [PATCH 023/120] ensure network packet capture integration data has event.module:network_traffic --- salt/elasticsearch/files/ingest/global@custom | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 085afd23c..4c522374e 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -8,7 +8,9 @@ "processors": [ { "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } }, { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, + { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, + { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, @@ -22,6 +24,6 @@ { "set": { "if": "ctx.event?.module == 'fim'", "override": true, "field": "event.module", "value": "file_integrity" } }, { "rename": { "if": "ctx.winlog?.provider_name == 'Microsoft-Windows-Windows Defender'", "ignore_missing": true, "field": "winlog.event_data.Threat Name", "target_field": "winlog.event_data.threat_name" } }, { "set": { "if": "ctx?.metadata?.kafka != null" , "field": "kafka.id", "value": "{{metadata.kafka.partition}}{{metadata.kafka.offset}}{{metadata.kafka.timestamp}}", "ignore_failure": true } }, - { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } + { "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp", "datastream_dataset_temp" ], "ignore_missing": true, "ignore_failure": true } } ] } From fb0cd436d352fb4d4a19913b695058ea0f4c7855 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 11 Feb 2025 11:23:04 -0600 Subject: [PATCH 024/120] ES 8.17.2 TODO: Check import-evtx-logs.json for updated pipeline versions Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 04198a160..c91a2df6f 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.1 + version: 8.17.2 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 90b75b8c4..2de3853df 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.10.4" + discardCorruptObjects: "8.17.2" telemetry: enabled: False security: From 16c332ad2e3baa1fe3805507d6329f7473ad0164 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 12 Feb 2025 11:27:43 -0500 Subject: [PATCH 025/120] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 580cd0c49..04d2c4735 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.120 \ No newline at end of file +2.4.130 From d2ac6ec10fa1dc67d3034540aea331a84734cdc0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 12 Feb 2025 11:29:07 -0500 Subject: [PATCH 026/120] Update 2-4.yml --- .github/DISCUSSION_TEMPLATE/2-4.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/DISCUSSION_TEMPLATE/2-4.yml b/.github/DISCUSSION_TEMPLATE/2-4.yml index 0b8d5e6b9..9583ac99a 100644 --- a/.github/DISCUSSION_TEMPLATE/2-4.yml +++ b/.github/DISCUSSION_TEMPLATE/2-4.yml @@ -24,6 +24,7 @@ body: - 2.4.110 - 2.4.111 - 2.4.120 + - 2.4.130 - Other (please provide detail below) validations: required: true From 40cb3a53aea8110068ae38bd98103cef33d5ade3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 12 Feb 2025 13:18:08 -0600 Subject: [PATCH 027/120] Revert ES 8.17.2 upgrade -> 8.17.1 Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c91a2df6f..04198a160 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.2 + version: 8.17.1 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 2de3853df..6cc4d123a 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.2" + discardCorruptObjects: "8.17.1" telemetry: enabled: False security: From 09c7b31918f3d04af26c627bb74dfda0692ae9da Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 12 Feb 2025 16:33:56 -0600 Subject: [PATCH 028/120] update pfsense pipeline version. Remove unused component templates --- .../files/ingest/logs-pfsense.log-1.16.0 | 389 ------------------ ...nse.log-1.19.1 => logs-pfsense.log-1.20.2} | 53 ++- ...icata => logs-pfsense.log-1.20.2-suricata} | 0 .../logs-elastic_agent@package.json | 383 ----------------- ...ndpoint.diagnostic.collection@package.json | 132 ------ ...ics-fleet_server.agent_status@package.json | 201 --------- ...s-fleet_server.agent_versions@package.json | 102 ----- 7 files changed, 26 insertions(+), 1234 deletions(-) delete mode 100644 salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.19.1 => logs-pfsense.log-1.20.2} (90%) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.16.0-suricata => logs-pfsense.log-1.20.2-suricata} (100%) delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json delete mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 deleted file mode 100644 index f53abb0e3..000000000 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0 +++ /dev/null @@ -1,389 +0,0 @@ -{ - "description": "Pipeline for PFsense", - "processors": [ - { - "set": { - "field": "ecs.version", - "value": "8.10.0" - } - }, - { - "set": { - "field": "observer.vendor", - "value": "netgate" - } - }, - { - "set": { - "field": "observer.type", - "value": "firewall" - } - }, - { - "rename": { - "field": "message", - "target_field": "event.original" - } - }, - { - "set": { - "field": "event.kind", - "value": "event" - } - }, - { - "set": { - "field": "event.timezone", - "value": "{{_tmp.tz_offset}}", - "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'" - } - }, - { - "grok": { - "description": "Parse syslog header", - "field": "event.original", - "patterns": [ - "^(%{ECS_SYSLOG_PRI})?%{TIMESTAMP} %{GREEDYDATA:message}" - ], - "pattern_definitions": { - "ECS_SYSLOG_PRI": "<%{NONNEGINT:log.syslog.priority:long}>(\\d )?", - "TIMESTAMP": "(?:%{BSD_TIMESTAMP_FORMAT}|%{SYSLOG_TIMESTAMP_FORMAT})", - "BSD_TIMESTAMP_FORMAT": "%{SYSLOGTIMESTAMP:_tmp.timestamp}(%{SPACE}%{BSD_PROCNAME}|%{SPACE}%{OBSERVER}%{SPACE}%{BSD_PROCNAME})(\\[%{POSINT:process.pid:long}\\])?:", - "BSD_PROCNAME": "(?:\\b%{NAME:process.name}|\\(%{NAME:process.name}\\))", - "NAME": "[[[:alnum:]]_-]+", - "SYSLOG_TIMESTAMP_FORMAT": "%{TIMESTAMP_ISO8601:_tmp.timestamp8601}%{SPACE}%{OBSERVER}%{SPACE}%{PROCESS}%{SPACE}(%{POSINT:process.pid:long}|-) - (-|%{META})", - "TIMESTAMP_ISO8601": "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE:event.timezone}?", - "OBSERVER": "(?:%{IP:observer.ip}|%{HOSTNAME:observer.name})", - "PROCESS": "(\\(%{DATA:process.name}\\)|(?:%{UNIXPATH}*/)?%{BASEPATH:process.name})", - "BASEPATH": "[[[:alnum:]]_%!$@:.,+~-]+", - "META": "\\[[^\\]]*\\]" - } - } - }, - { - "date": { - "if": "ctx._tmp.timestamp8601 != null", - "field": "_tmp.timestamp8601", - "target_field": "@timestamp", - "formats": [ - "ISO8601" - ] - } - }, - { - "date": { - "if": "ctx.event?.timezone != null && ctx._tmp?.timestamp != null", - "field": "_tmp.timestamp", - "target_field": "@timestamp", - "formats": [ - "MMM d HH:mm:ss", - "MMM d HH:mm:ss", - "MMM dd HH:mm:ss" - ], - "timezone": "{{ event.timezone }}" - } - }, - { - "grok": { - "description": "Set Event Provider", - "field": "process.name", - "patterns": [ - "^%{HYPHENATED_WORDS:event.provider}" - ], - "pattern_definitions": { - "HYPHENATED_WORDS": "\\b[A-Za-z0-9_]+(-[A-Za-z_]+)*\\b" - } - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-firewall", - "if": "ctx.event.provider == 'filterlog'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-openvpn", - "if": "ctx.event.provider == 'openvpn'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-ipsec", - "if": "ctx.event.provider == 'charon'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-dhcp", - "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-unbound", - "if": "ctx.event.provider == 'unbound'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-haproxy", - "if": "ctx.event.provider == 'haproxy'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-php-fpm", - "if": "ctx.event.provider == 'php-fpm'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-squid", - "if": "ctx.event.provider == 'squid'" - } - }, - { - "pipeline": { - "name": "logs-pfsense.log-1.16.0-suricata", - "if": "ctx.event.provider == 'suricata'" - } - }, - { - "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)" - } - }, - { - "append": { - "field": "event.category", - "value": "network", - "if": "ctx.network != null" - } - }, - { - "convert": { - "field": "source.address", - "target_field": "source.ip", - "type": "ip", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "convert": { - "field": "destination.address", - "target_field": "destination.ip", - "type": "ip", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "set": { - "field": "network.type", - "value": "ipv6", - "if": "ctx.source?.ip != null && ctx.source.ip.contains(\":\")" - } - }, - { - "set": { - "field": "network.type", - "value": "ipv4", - "if": "ctx.source?.ip != null && ctx.source.ip.contains(\".\")" - } - }, - { - "geoip": { - "field": "source.ip", - "target_field": "source.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "field": "destination.ip", - "target_field": "destination.geo", - "ignore_missing": true - } - }, - { - "geoip": { - "ignore_missing": true, - "database_file": "GeoLite2-ASN.mmdb", - "field": "source.ip", - "target_field": "source.as", - "properties": [ - "asn", - "organization_name" - ] - } - }, - { - "geoip": { - "database_file": "GeoLite2-ASN.mmdb", - "field": "destination.ip", - "target_field": "destination.as", - "properties": [ - "asn", - "organization_name" - ], - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.asn", - "target_field": "source.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "source.as.organization_name", - "target_field": "source.as.organization.name", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.asn", - "target_field": "destination.as.number", - "ignore_missing": true - } - }, - { - "rename": { - "field": "destination.as.organization_name", - "target_field": "destination.as.organization.name", - "ignore_missing": true - } - }, - { - "community_id": { - "target_field": "network.community_id", - "ignore_failure": true - } - }, - { - "grok": { - "field": "observer.ingress.interface.name", - "patterns": [ - "%{DATA}.%{NONNEGINT:observer.ingress.vlan.id}" - ], - "ignore_missing": true, - "ignore_failure": true - } - }, - { - "set": { - "field": "network.vlan.id", - "copy_from": "observer.ingress.vlan.id", - "ignore_empty_value": true - } - }, - { - "append": { - "field": "related.ip", - "value": "{{destination.ip}}", - "allow_duplicates": false, - "if": "ctx.destination?.ip != null" - } - }, - { - "append": { - "field": "related.ip", - "value": "{{source.ip}}", - "allow_duplicates": false, - "if": "ctx.source?.ip != null" - } - }, - { - "append": { - "field": "related.ip", - "value": "{{source.nat.ip}}", - "allow_duplicates": false, - "if": "ctx.source?.nat?.ip != null" - } - }, - { - "append": { - "field": "related.hosts", - "value": "{{destination.domain}}", - "if": "ctx.destination?.domain != null" - } - }, - { - "append": { - "field": "related.user", - "value": "{{user.name}}", - "if": "ctx.user?.name != null" - } - }, - { - "set": { - "field": "network.direction", - "value": "{{network.direction}}bound", - "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/" - } - }, - { - "remove": { - "field": [ - "_tmp" - ], - "ignore_failure": true - } - }, - { - "script": { - "lang": "painless", - "description": "This script processor iterates over the whole document to remove fields with null values.", - "source": "void handleMap(Map map) {\n for (def x : map.values()) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n map.values().removeIf(v -> v == null || (v instanceof String && v == \"-\"));\n}\nvoid handleList(List list) {\n for (def x : list) {\n if (x instanceof Map) {\n handleMap(x);\n } else if (x instanceof List) {\n handleList(x);\n }\n }\n}\nhandleMap(ctx);\n" - } - }, - { - "remove": { - "field": "event.original", - "if": "ctx.tags == null || !(ctx.tags.contains('preserve_original_event'))", - "ignore_failure": true, - "ignore_missing": true - } - }, - { - "pipeline": { - "name": "logs-pfsense.log@custom", - "ignore_missing_pipeline": true - } - } - ], - "on_failure": [ - { - "remove": { - "field": [ - "_tmp" - ], - "ignore_failure": true - } - }, - { - "set": { - "field": "event.kind", - "value": "pipeline_error" - } - }, - { - "append": { - "field": "error.message", - "value": "{{{ _ingest.on_failure_message }}}" - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "pfsense" - } - } -} diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 similarity index 90% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index 6166f6b55..d4861a35b 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.19.1 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -36,7 +36,7 @@ { "set": { "field": "event.timezone", - "value": "{{_tmp.tz_offset}}", + "value": "{{{_tmp.tz_offset}}}", "if": "ctx._tmp?.tz_offset != null && ctx._tmp?.tz_offset != 'local'" } }, @@ -83,7 +83,7 @@ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ], - "timezone": "{{ event.timezone }}" + "timezone": "{{{ event.timezone }}}" } }, { @@ -100,61 +100,67 @@ }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-firewall", + "name": "logs-pfsense.log-1.20.2-firewall", "if": "ctx.event.provider == 'filterlog'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-openvpn", + "name": "logs-pfsense.log-1.20.2-openvpn", "if": "ctx.event.provider == 'openvpn'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-ipsec", + "name": "logs-pfsense.log-1.20.2-ipsec", "if": "ctx.event.provider == 'charon'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-dhcp", + "name": "logs-pfsense.log-1.20.2-dhcp", "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-unbound", + "name": "logs-pfsense.log-1.20.2-unbound", "if": "ctx.event.provider == 'unbound'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-haproxy", + "name": "logs-pfsense.log-1.20.2-haproxy", "if": "ctx.event.provider == 'haproxy'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-php-fpm", + "name": "logs-pfsense.log-1.20.2-php-fpm", "if": "ctx.event.provider == 'php-fpm'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.19.1-squid", + "name": "logs-pfsense.log-1.20.2-squid", "if": "ctx.event.provider == 'squid'" } }, + { + "pipeline": { + "name": "logs-pfsense.log-1.20.2-snort", + "if": "ctx.event.provider == 'snort'" + } + }, { "pipeline": { - "name": "logs-pfsense.log-1.16.0-suricata", + "name": "logs-pfsense.log-1.20.2-suricata", "if": "ctx.event.provider == 'suricata'" } }, { "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"suricata\"].contains(ctx.event?.provider)" + "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\"].contains(ctx.event?.provider)" } }, { @@ -288,7 +294,7 @@ { "append": { "field": "related.ip", - "value": "{{destination.ip}}", + "value": "{{{destination.ip}}}", "allow_duplicates": false, "if": "ctx.destination?.ip != null" } @@ -296,7 +302,7 @@ { "append": { "field": "related.ip", - "value": "{{source.ip}}", + "value": "{{{source.ip}}}", "allow_duplicates": false, "if": "ctx.source?.ip != null" } @@ -304,7 +310,7 @@ { "append": { "field": "related.ip", - "value": "{{source.nat.ip}}", + "value": "{{{source.nat.ip}}}", "allow_duplicates": false, "if": "ctx.source?.nat?.ip != null" } @@ -312,21 +318,21 @@ { "append": { "field": "related.hosts", - "value": "{{destination.domain}}", + "value": "{{{destination.domain}}}", "if": "ctx.destination?.domain != null" } }, { "append": { "field": "related.user", - "value": "{{user.name}}", + "value": "{{{user.name}}}", "if": "ctx.user?.name != null" } }, { "set": { "field": "network.direction", - "value": "{{network.direction}}bound", + "value": "{{{network.direction}}}bound", "if": "ctx.network?.direction != null && ctx.network?.direction =~ /^(in|out)$/" } }, @@ -403,12 +409,5 @@ "value": "{{{ _ingest.on_failure_message }}}" } } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "pfsense" - } - } -} + ] +} \ No newline at end of file diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata similarity index 100% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.16.0-suricata rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json deleted file mode 100644 index efd85bb4b..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-elastic_agent@package.json +++ /dev/null @@ -1,383 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs" - }, - "codec": "best_compression", - "default_pipeline": "logs-elastic_agent-1.20.0", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "cloud.project.id", - "cloud.image.id", - "container.id", - "container.image.name", - "container.name", - "host.architecture", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.os.build", - "host.os.codename", - "host.type", - "ecs.version", - "agent.build.original", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "log.level", - "message", - "elastic_agent.id", - "elastic_agent.process", - "elastic_agent.version", - "component.id", - "component.type", - "component.binary", - "component.state", - "component.old_state", - "unit.id", - "unit.type", - "unit.state", - "unit.old_state" - ] - } - } - }, - "mappings": { - "dynamic": false, - "dynamic_templates": [ - { - "container.labels": { - "path_match": "container.labels.*", - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "container": { - "properties": { - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elastic_agent": { - "properties": { - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "snapshot": { - "type": "boolean" - } - } - }, - "message": { - "type": "text" - }, - "cloud": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "component": { - "properties": { - "binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "wildcard" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "unit": { - "properties": { - "old_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "wildcard" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "host": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "text": { - "type": "text" - } - } - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "containerized": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "dataset": { - "type": "constant_keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "elastic_agent" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json deleted file mode 100644 index bf60f2543..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-endpoint.diagnostic.collection@package.json +++ /dev/null @@ -1,132 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "logs-endpoint.collection-diagnostic" - }, - "codec": "best_compression", - "default_pipeline": "logs-endpoint.diagnostic.collection-8.10.2", - "mapping": { - "total_fields": { - "limit": "10000" - }, - "ignore_malformed": "true" - }, - "query": { - "default_field": [ - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type" - ] - } - } - }, - "mappings": { - "dynamic": false, - "properties": { - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "event": { - "properties": { - "severity": { - "type": "long" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ingested": { - "type": "date" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json b/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json deleted file mode 100644 index 8fc83f9cb..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_status@package.json +++ /dev/null @@ -1,201 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "metrics" - }, - "default_pipeline": "metrics-fleet_server.agent_status-1.5.0", - "mapping": { - "total_fields": { - "limit": "1000" - } - } - } - }, - "mappings": { - "dynamic": false, - "_source": { - "mode": "synthetic" - }, - "properties": { - "cluster": { - "properties": { - "id": { - "time_series_dimension": true, - "type": "keyword" - } - } - }, - "fleet": { - "properties": { - "agents": { - "properties": { - "offline": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "total": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "updating": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "inactive": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "healthy": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unhealthy": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unenrolled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "enrolled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "unhealthy_reason": { - "properties": { - "output": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "input": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "other": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - } - } - }, - "upgrading_step": { - "properties": { - "rollback": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "requested": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "restarting": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "downloading": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "scheduled": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "extracting": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "replacing": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "failed": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "watching": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - } - } - } - } - } - } - }, - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "kibana": { - "properties": { - "uuid": { - "path": "agent.id", - "type": "alias" - }, - "version": { - "path": "agent.version", - "type": "alias" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "fleet_server" - }, - "managed_by": "fleet", - "managed": true - } -} diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json b/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json deleted file mode 100644 index af3323ee9..000000000 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics-fleet_server.agent_versions@package.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "lifecycle": { - "name": "metrics" - }, - "default_pipeline": "metrics-fleet_server.agent_versions-1.5.0", - "mapping": { - "total_fields": { - "limit": "1000" - } - } - } - }, - "mappings": { - "dynamic": false, - "_source": { - "mode": "synthetic" - }, - "properties": { - "cluster": { - "properties": { - "id": { - "time_series_dimension": true, - "type": "keyword" - } - } - }, - "fleet": { - "properties": { - "agent": { - "properties": { - "count": { - "time_series_metric": "gauge", - "meta": {}, - "type": "long" - }, - "version": { - "time_series_dimension": true, - "type": "keyword" - } - } - } - } - }, - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "@timestamp": { - "ignore_malformed": false, - "type": "date" - }, - "data_stream": { - "properties": { - "namespace": { - "type": "constant_keyword" - }, - "type": { - "type": "constant_keyword" - }, - "dataset": { - "type": "constant_keyword" - } - } - }, - "kibana": { - "properties": { - "uuid": { - "path": "agent.id", - "type": "alias" - }, - "version": { - "path": "agent.version", - "type": "alias" - } - } - } - } - } - }, - "_meta": { - "package": { - "name": "fleet_server" - }, - "managed_by": "fleet", - "managed": true - } -} From c711ffe6c5cba43ca64b782575dc09e27bb14e91 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:44:56 -0600 Subject: [PATCH 029/120] keep pipeline "managed" metadata --- salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index d4861a35b..78a65b444 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -1,5 +1,12 @@ { "description": "Pipeline for PFsense", + "_meta": { + "package": { + "name": "pfsense" + }, + "managed_by": "fleet", + "managed": true + }, "processors": [ { "set": { @@ -153,7 +160,7 @@ } }, { - "pipeline": { + "pipeline": { "name": "logs-pfsense.log-1.20.2-suricata", "if": "ctx.event.provider == 'suricata'" } From 03b76cbcf5ede6b1f590227ee414469edd4d1aec Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 13 Feb 2025 08:51:50 -0600 Subject: [PATCH 030/120] remove state files --- salt/manager/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 89255f839..85da8bbd9 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -538,8 +538,8 @@ post_to_2.4.120() { } post_to_2.4.130() { - # Integrations policies need to be updated - rm -f /opt/so/state/eaintegrations.txt + # Integrations policies need to be updated, along with ingest pipelines & index templates. + rm -f /opt/so/state/eaintegrations.txt /opt/so/state/espipelines.txt /opt/so/state/estemplates.txt # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True From 8568c372f6e82f8ba508644155e8704fa8e1cd41 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:21:31 -0600 Subject: [PATCH 031/120] disable fleet apm --- salt/kibana/defaults.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index 6cc4d123a..d0ba37e7b 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -35,3 +35,5 @@ kibana: hostname: localhost fleet: registryUrl: "" + apm: + enabled: false From 85dcfbf36877e3cc4a56fe67bef5cc0ffb3280ba Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:27:36 -0600 Subject: [PATCH 032/120] update kibana default space --- salt/kibana/tools/sbin_jinja/so-kibana-space-defaults | 2 +- salt/manager/tools/sbin/soup | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults index 6e4959194..4a2b5902c 100755 --- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults +++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCases"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","siem","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 85da8bbd9..3bcef79ef 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -544,6 +544,11 @@ post_to_2.4.130() { # Sync the newly generated index templates for elasticfleet integrations salt-call state.apply elasticsearch queue=True + # Update kibana default space + salt-call state.apply kibana.config queue=True + echo "Updating Kibana default space" + /usr/sbin/so-kibana-space-defaults + POSTVERSION=2.4.130 } From 12f0195f292f7e44f007e1b1f85da6e8fba3db08 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:28:23 -0600 Subject: [PATCH 033/120] pfsense integration - keep suricata events --- salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 index 78a65b444..d12a03149 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 @@ -167,7 +167,7 @@ }, { "drop": { - "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\"].contains(ctx.event?.provider)" + "if": "![\"filterlog\", \"openvpn\", \"charon\", \"dhcpd\", \"dhclient\", \"dhcp6c\", \"unbound\", \"haproxy\", \"php-fpm\", \"squid\", \"snort\", \"suricata\"].contains(ctx.event?.provider)" } }, { From 3530bff320522e6c255b77bfd55e9301346bc9fa Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 12:29:27 -0600 Subject: [PATCH 034/120] always update package components state file to ensure index templates are created with any available integration components --- .../sbin/so-elastic-fleet-optional-integrations-load | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load index 6d87b958c..dface5a72 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load @@ -91,15 +91,12 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then if [ "$PENDING_UPDATE" = true ]; then # Run bulk install of packages elastic_fleet_bulk_package_install $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_OUTPUT - - # Write out file for generating index/component/ilm templates - latest_installed_package_list=$(elastic_fleet_installed_packages) - echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS - else echo "Elastic integrations don't appear to need installation/updating..." - exit 0 fi + # Write out file for generating index/component/ilm templates + latest_installed_package_list=$(elastic_fleet_installed_packages) + echo $latest_installed_package_list | jq '[.items[] | {name: .name, es_index_patterns: .dataStreams}]' > $PACKAGE_COMPONENTS else # This is the installation of add-on integrations and upgrade of existing integrations. Exiting without error, next highstate will attempt to re-run. From 235a8e3934ff26f27c07057d3829648d5efd46cb Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 17 Feb 2025 18:30:51 -0600 Subject: [PATCH 035/120] update index templates for endpoint integration --- salt/elasticsearch/defaults.yaml | 215 ++++++++++++++++++++++++++++--- 1 file changed, 196 insertions(+), 19 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 04198a160..3eafa5e3d 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1783,13 +1783,131 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-endpoint_x_actions: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.actions@package + - .logs-endpoint.actions@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.actions@custom + index_patterns: + - logs-endpoint.actions-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.actions-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-endpoint_x_action_x_responses: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.action.responses@package + - .logs-endpoint.action.responses@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.action.responses@custom + index_patterns: + - logs-endpoint.action.responses-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.actions-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-endpoint_x_alerts: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.alerts@custom - logs-endpoint.alerts@package + - logs-endpoint.alerts@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1846,9 +1964,9 @@ elasticsearch: index_sorting: false index_template: composed_of: + - .logs-endpoint.diagnostic.collection@package + - .logs-endpoint.diagnostic.collection@custom - event-mappings - - logs-endpoint.diagnostic.collection@custom - - logs-endpoint.diagnostic.collection@package - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1856,7 +1974,7 @@ elasticsearch: allow_custom_routing: false hidden: false ignore_missing_component_templates: - - logs-endpoint.diagnostic.collection@custom + - .logs-endpoint.diagnostic.collection@custom index_patterns: - .logs-endpoint.diagnostic.collection-* priority: 501 @@ -1905,9 +2023,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.api@custom - logs-endpoint.events.api@package + - logs-endpoint.events.api@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -1964,9 +2082,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.file@custom - logs-endpoint.events.file@package + - logs-endpoint.events.file@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2023,9 +2141,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.library@custom - logs-endpoint.events.library@package + - logs-endpoint.events.library@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2082,9 +2200,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.network@custom - logs-endpoint.events.network@package + - logs-endpoint.events.network@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2141,9 +2259,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.process@custom - logs-endpoint.events.process@package + - logs-endpoint.events.process@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2200,9 +2318,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.registry@custom - logs-endpoint.events.registry@package + - logs-endpoint.events.registry@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2259,9 +2377,9 @@ elasticsearch: index_sorting: false index_template: composed_of: - - event-mappings - - logs-endpoint.events.security@custom - logs-endpoint.events.security@package + - logs-endpoint.events.security@custom + - event-mappings - so-fleet_integrations.ip_mappings-1 - so-fleet_globals-1 - so-fleet_agent_id_verification-1 @@ -2314,6 +2432,65 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-endpoint_x_heartbeat: + index_sorting: false + index_template: + composed_of: + - .logs-endpoint.heartbeat@package + - .logs-endpoint.heartbeat@custom + - event-mappings + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + data_stream: + allow_custom_routing: false + hidden: false + ignore_missing_component_templates: + - .logs-endpoint.heartbeat@custom + index_patterns: + - .logs-endpoint.heartbeat-* + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-endpoint.heartbeat-logs + mapping: + total_fields: + limit: 5000 + number_of_replicas: 0 + sort: + field: '@timestamp' + order: desc + policy: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-http_endpoint_x_generic: index_sorting: false index_template: From c1c72ddd9b507e5c27d630edf31f26d5e7f95b40 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 10:39:54 -0600 Subject: [PATCH 036/120] update global@custom pipeline ignore null/empty string values --- salt/elasticsearch/files/ingest/global@custom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 4c522374e..57d0e5d20 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -10,7 +10,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "description":"Fix EA network packet capture" } }, + { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, From 21ed1439e2b4ebff2b7c3f3138d8fcf93909e4e9 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 10:40:18 -0600 Subject: [PATCH 037/120] update udp integration policy --- .../integrations/grid-nodes_general/syslog-udp-514.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json index ad32a6964..22821dea8 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/syslog-udp-514.json @@ -11,7 +11,7 @@ "udp-udp": { "enabled": true, "streams": { - "udp.generic": { + "udp.udp": { "enabled": true, "vars": { "listen_address": "0.0.0.0", @@ -20,11 +20,13 @@ "pipeline": "syslog", "max_message_size": "10KiB", "keep_null": false, - "processors": "- add_fields:\n target: event\n fields: \n module: syslog\n", + "processors": "- add_fields:\n target: event\n fields: \n module: syslog", "tags": [ "syslog" ], - "syslog_options": "field: message\n#format: auto\n#timezone: Local" + "syslog_options": "field: message\n#format: auto\n#timezone: Local\n", + "preserve_original_event": false, + "custom": "" } } } From 5c3e28535a4a2519cf5d4d23663287d450217adc Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 18 Feb 2025 11:46:45 -0500 Subject: [PATCH 038/120] FIX: Add TLSv1.3 to nginx config #14252 --- salt/nginx/etc/nginx.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 3168a5986..af8312a84 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -103,7 +103,7 @@ http { ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; } {%- endif %} @@ -144,7 +144,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location / { allow all; sendfile on; @@ -177,7 +177,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { proxy_pass http://{{ GLOBALS.manager }}:9822; From 7dd64380cc59840bda921a55e9ed4ccff3bf513d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 11:48:00 -0500 Subject: [PATCH 039/120] Enable TLSv1.3 and use consistent ciphers across listeners --- salt/nginx/etc/nginx.conf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index 3168a5986..dd4842930 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -101,9 +101,8 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; - ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; } {%- endif %} @@ -144,7 +143,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location / { allow all; sendfile on; @@ -177,7 +176,7 @@ http { ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2; + ssl_protocols TLSv1.2 TLSv1.3; location ~* (^/login/.*|^/js/.*|^/css/.*|^/images/.*) { proxy_pass http://{{ GLOBALS.manager }}:9822; From 1be8de7acbc08b9df04aec9dea0a3f3b9458eba5 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 11:16:57 -0600 Subject: [PATCH 040/120] must use null check --- salt/elasticsearch/files/ingest/global@custom | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elasticsearch/files/ingest/global@custom b/salt/elasticsearch/files/ingest/global@custom index 57d0e5d20..e11a0be72 100644 --- a/salt/elasticsearch/files/ingest/global@custom +++ b/salt/elasticsearch/files/ingest/global@custom @@ -10,7 +10,7 @@ { "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } }, { "split": { "if": "ctx.data_stream?.dataset.contains('.')", "field":"data_stream.dataset", "separator":"\\.", "target_field":"datastream_dataset_temp", "ignore_missing":true } }, { "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } }, - { "set": { "if": "ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, + { "set": { "if": "ctx.datastream_dataset_temp != null && ctx.datastream_dataset_temp[0] == 'network_traffic'", "field":"event.module", "value":"{{ datastream_dataset_temp.0 }}", "ignore_failure":true, "ignore_empty_value":true, "description":"Fix EA network packet capture" } }, { "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } }, { "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}", "allow_duplicates": false } }, { "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } }, From 19593cd771905d097932bc070160d9b26151f9f2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 12:17:50 -0500 Subject: [PATCH 041/120] use consistent ciphers across listeners --- salt/nginx/etc/nginx.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index dd4842930..069e55cdb 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -101,6 +101,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; } @@ -142,6 +143,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; location / { @@ -175,6 +177,7 @@ http { ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256:TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256:TLS_RSA_WITH_AES_256_GCM_SHA384:TLS_RSA_WITH_AES_256_CCM:TLS_RSA_WITH_ARIA_256_GCM_SHA384:TLS_RSA_WITH_AES_128_GCM_SHA256:TLS_RSA_WITH_AES_128_CCM:TLS_RSA_WITH_ARIA_128_GCM_SHA256; + ssl_ecdh_curve secp521r1:secp384r1; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.2 TLSv1.3; From b25b6f7bf2e45080b22f45e1ba2e3714985b69b4 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 12:37:25 -0500 Subject: [PATCH 042/120] Support CLI changing of a user's password without disabling existing auth settings for that user --- salt/manager/tools/sbin/so-user | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index e6ac9eb1f..e6cf661dc 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -46,10 +46,11 @@ function usage() { Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - password: Updates a user's password and disables MFA + password: Updates a user's password and disables MFA, SSO, etc Required parameters: --email Optional parameters: + --password-only (only updates the password, does not disable MFA or SSO) --skip-sync (defers the Elastic sync until the next scheduled time) profile: Updates a user's profile information @@ -119,6 +120,8 @@ while [[ $# -gt 0 ]]; do note=$(echo $1 | sed 's/"/\\"/g') shift ;; + --password-only) + passwordOnly=1 --skip-sync) SKIP_SYNC=1 ;; @@ -236,6 +239,11 @@ function updatePassword() { # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" + + if [[ $passwordOnly -eq 1 ]]; then + return + fi + # Deactivate MFA echo "delete from identity_credential_identifiers where identity_credential_id in (select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs" From 23ab8983f72485a38f26f145c52c125f1793c51a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 18 Feb 2025 12:41:41 -0500 Subject: [PATCH 043/120] Revert "Support CLI changing of a user's password without disabling existing auth settings for that user" This reverts commit b25b6f7bf2e45080b22f45e1ba2e3714985b69b4. --- salt/manager/tools/sbin/so-user | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index e6cf661dc..e6ac9eb1f 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -46,11 +46,10 @@ function usage() { Optional parameters: --skip-sync (defers the Elastic sync until the next scheduled time) - password: Updates a user's password and disables MFA, SSO, etc + password: Updates a user's password and disables MFA Required parameters: --email Optional parameters: - --password-only (only updates the password, does not disable MFA or SSO) --skip-sync (defers the Elastic sync until the next scheduled time) profile: Updates a user's profile information @@ -120,8 +119,6 @@ while [[ $# -gt 0 ]]; do note=$(echo $1 | sed 's/"/\\"/g') shift ;; - --password-only) - passwordOnly=1 --skip-sync) SKIP_SYNC=1 ;; @@ -239,11 +236,6 @@ function updatePassword() { # Update DB with new hash echo "update identity_credentials set config=CAST('{\"hashed_password\":\"$passwordHash\"}' as BLOB), created_at=datetime('now'), updated_at=datetime('now') where identity_id='${identityId}' and identity_credential_type_id=(select id from identity_credential_types where name='password');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to update password" - - if [[ $passwordOnly -eq 1 ]]; then - return - fi - # Deactivate MFA echo "delete from identity_credential_identifiers where identity_credential_id in (select id from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc')));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath" [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs" From 2b7ebf08cbcd2c87a9a5233692ba7caf19b8fb55 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 13:18:08 -0600 Subject: [PATCH 044/120] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index 452820224..04d2c4735 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.4.0-foxtrot \ No newline at end of file +2.4.130 From f991d8a10a05986183b6197cc2ee662b25518f95 Mon Sep 17 00:00:00 2001 From: Jorge Reyes <94730068+reyesj2@users.noreply.github.com> Date: Tue, 18 Feb 2025 14:37:20 -0600 Subject: [PATCH 045/120] Update .gitleaks.toml --- .github/.gitleaks.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/.gitleaks.toml b/.github/.gitleaks.toml index 21a047959..2111ed7bc 100644 --- a/.github/.gitleaks.toml +++ b/.github/.gitleaks.toml @@ -536,7 +536,7 @@ secretGroup = 4 [allowlist] description = "global allow lists" -regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password'''] +regexes = ['''219-09-9999''', '''078-05-1120''', '''(9[0-9]{2}|666)-\d{2}-\d{4}''', '''RPM-GPG-KEY.*''', '''.*:.*StrelkaHexDump.*''', '''.*:.*PLACEHOLDER.*''', '''ssl_.*password''', '''integration_key\s=\s"so-logs-"'''] paths = [ '''gitleaks.toml''', '''(.*?)(jpg|gif|doc|pdf|bin|svg|socket)$''', From 45c66b93d7f3057006d0e5148ae849175f9abc22 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 19 Feb 2025 09:23:48 -0600 Subject: [PATCH 046/120] make sure only a non-empty file is loaded Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/template.map.jinja | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/salt/elasticsearch/template.map.jinja b/salt/elasticsearch/template.map.jinja index c1ff2cb24..aa90cb81b 100644 --- a/salt/elasticsearch/template.map.jinja +++ b/salt/elasticsearch/template.map.jinja @@ -16,10 +16,13 @@ {# start generation of integration default index_settings #} {% if salt['file.file_exists']('/opt/so/state/esfleet_package_components.json') %} -{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} -{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} -{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} -{% endfor %} +{% set check_package_components = salt['file.stats']('/opt/so/state/esfleet_package_components.json') %} +{% if check_package_components.size > 1 %} +{% from 'elasticfleet/integration-defaults.map.jinja' import ADDON_INTEGRATION_DEFAULTS %} +{% for index, settings in ADDON_INTEGRATION_DEFAULTS.items() %} +{% do ES_INDEX_SETTINGS_ORIG.update({index: settings}) %} +{% endfor %} +{% endif%} {% endif %} {# end generation of integration default index_settings #} From 64f6a2d81efd39469a01c8a33e4053a536dfce9d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 19 Feb 2025 10:38:37 -0600 Subject: [PATCH 047/120] re-enable security (siem) in default kibana space --- salt/kibana/tools/sbin_jinja/so-kibana-space-defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults index 4a2b5902c..a22aba066 100755 --- a/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults +++ b/salt/kibana/tools/sbin_jinja/so-kibana-space-defaults @@ -13,6 +13,6 @@ echo "Setting up default Space:" {% if HIGHLANDER %} curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["enterpriseSearch"]} ' >> /opt/so/log/kibana/misc.log {% else %} -curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","siem","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log +curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X PUT "localhost:5601/api/spaces/space/default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' {"id":"default","name":"Default","disabledFeatures":["ml","enterpriseSearch","logs","infrastructure","apm","uptime","monitoring","stackAlerts","actions","securitySolutionCasesV2","inventory","dataQuality","actions"]} ' >> /opt/so/log/kibana/misc.log {% endif %} echo From c6d72d31cb8b1d0458ef2601c6b03eb8a8945f1a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 19 Feb 2025 16:16:38 -0500 Subject: [PATCH 048/120] Update Elastic Defend JSON --- .../elastic-defend-endpoints.json | 37 +++++++++++-------- 1 file changed, 21 insertions(+), 16 deletions(-) diff --git a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json index 0348a0198..87870c7bc 100644 --- a/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json +++ b/salt/elasticfleet/files/integrations/elastic-defend/elastic-defend-endpoints.json @@ -3,25 +3,30 @@ "namespace": "default", "description": "", "package": { - "name": "endpoint", - "title": "Elastic Defend", - "version": "8.17.0" + "name": "endpoint", + "title": "Elastic Defend", + "version": "8.17.0", + "requires_root": true }, "enabled": true, "policy_id": "endpoints-initial", - "inputs": [{ - "type": "ENDPOINT_INTEGRATION_CONFIG", + "vars": {}, + "inputs": [ + { + "type": "endpoint", "enabled": true, - "streams": [], "config": { - "_config": { - "value": { - "type": "endpoint", - "endpointConfig": { - "preset": "DataCollection" - } - } + "integration_config": { + "value": { + "type": "endpoint", + "endpointConfig": { + "preset": "DataCollection" + } } - } - }] -} + } + }, + "streams": [] + } + ] + } + \ No newline at end of file From 499d473b9d9682e3a295ff2a86f8c64c2626f6d3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 10:06:59 -0600 Subject: [PATCH 049/120] set metrics indices to 0 replicas --- .../templates/component/elastic-agent/metrics@custom.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json new file mode 100644 index 000000000..6826af601 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json @@ -0,0 +1,7 @@ +{ + "template": { + "settings": { + "number_of_replicas": 0 + } + } + } \ No newline at end of file From 7c2118f2f6df830576d3e2ac90d0a19a19b79d75 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 11:07:50 -0500 Subject: [PATCH 050/120] Create LICENSE --- LICENSE | 53 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 000000000..77329e94a --- /dev/null +++ b/LICENSE @@ -0,0 +1,53 @@ +Elastic License 2.0 (ELv2) + +Acceptance + + By using the software, you agree to all of the terms and conditions below. + +Copyright License + + The licensor grants you a non-exclusive, royalty-free, worldwide, non-sublicensable, non-transferable license to use, copy, distribute, make available, and prepare derivative works of the software, in each case subject to the limitations and conditions below. + +Limitations + + You may not provide the software to third parties as a hosted or managed service, where the service provides users with access to any substantial set of the features or functionality of the software. + + You may not move, change, disable, or circumvent the license key functionality in the software, and you may not remove or obscure any functionality in the software that is protected by the license key. + + You may not alter, remove, or obscure any licensing, copyright, or other notices of the licensor in the software. Any use of the licensor’s trademarks is subject to applicable law. + +Patents + + The licensor grants you a license, under any patent claims the licensor can license, or becomes able to license, to make, have made, use, sell, offer for sale, import and have imported the software, in each case subject to the limitations and conditions in this license. This license does not cover any patent claims that you cause to be infringed by modifications or additions to the software. If you or your company make any written claim that the software infringes or contributes to infringement of any patent, your patent license for the software granted under these terms ends immediately. If your company makes such a claim, your patent license ends immediately for work on behalf of your company. + +Notices + + You must ensure that anyone who gets a copy of any part of the software from you also gets a copy of these terms. + + If you modify the software, you must include in any modified copies of the software prominent notices stating that you have modified the software. + +No Other Rights + + These terms do not imply any licenses other than those expressly granted in these terms. + +Termination + + If you use the software in violation of these terms, such use is not licensed, and your licenses will automatically terminate. If the licensor provides you with a notice of your violation, and you cease all violation of this license no later than 30 days after you receive that notice, your licenses will be reinstated retroactively. However, if you violate these terms after such reinstatement, any additional violation of these terms will cause your licenses to terminate automatically and permanently. + +No Liability + + As far as the law allows, the software comes as is, without any warranty or condition, and the licensor will not be liable to you for any damages arising out of these terms or the use or nature of the software, under any kind of legal claim. + +Definitions + + The licensor is the entity offering these terms, and the software is the software the licensor makes available under these terms, including any portion of it. + + you refers to the individual or entity agreeing to these terms. + + your company is any legal entity, sole proprietorship, or other kind of organization that you work for, plus all organizations that have control over, are under the control of, or are under common control with that organization. control means ownership of substantially all the assets of an entity, or the power to direct its management and policies by vote, contract, or otherwise. Control can be direct or indirect. + + your licenses are all the licenses granted to you for the software under these terms. + + use means anything you do with the software requiring one of your licenses. + + trademark means trademarks, service marks, and similar rights. From c9b41e2eb1ea233c1007b09681ad63dc110132d4 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 10:11:34 -0600 Subject: [PATCH 051/120] formatting Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- .../component/elastic-agent/metrics@custom.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json index 6826af601..5b459147b 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json +++ b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json @@ -1,7 +1,7 @@ { - "template": { - "settings": { - "number_of_replicas": 0 - } + "template": { + "settings": { + "number_of_replicas": 0 } - } \ No newline at end of file + } +} \ No newline at end of file From 25dfc182a98d7c9d19c3f3597eaab3e2c05268d0 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 13:18:02 -0500 Subject: [PATCH 052/120] Delete .github/ISSUE_TEMPLATE --- .github/ISSUE_TEMPLATE | 12 ------------ 1 file changed, 12 deletions(-) delete mode 100644 .github/ISSUE_TEMPLATE diff --git a/.github/ISSUE_TEMPLATE b/.github/ISSUE_TEMPLATE deleted file mode 100644 index e02405f16..000000000 --- a/.github/ISSUE_TEMPLATE +++ /dev/null @@ -1,12 +0,0 @@ -PLEASE STOP AND READ THIS INFORMATION! - -If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum instead: -https://securityonion.net/discuss - -If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum to start a conversation about it instead of creating an issue. - -If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following: -- duplicated the issue on a fresh installation of the latest version -- provide information about your system and how you installed Security Onion -- include relevant log files -- include reproduction steps From 2be53849806e4e3aab144e2740b744fdd273f53a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 13:19:08 -0500 Subject: [PATCH 053/120] Create config.yml --- .github/ISSUE_TEMPLATE/config.yml | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/config.yml diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml new file mode 100644 index 000000000..5758e82cf --- /dev/null +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -0,0 +1,5 @@ +blank_issues_enabled: false +contact_links: + - name: Security Onion Discussions + url: https://securityonion.com/discussions + about: Please ask and answer questions here From 5dc9200ee70be46f48e9d0349f79533931840973 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 20 Feb 2025 13:19:22 -0500 Subject: [PATCH 054/120] Add files via upload --- .github/ISSUE_TEMPLATE/bug_report.md | 38 ++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/bug_report.md diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 000000000..43b490b49 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,38 @@ +--- +name: Bug report +about: This option is for experienced community members to report a confirmed, reproducible bug +title: '' +labels: '' +assignees: '' + +--- +PLEASE STOP AND READ THIS INFORMATION! + +If you are creating an issue just to ask a question, you will likely get faster and better responses by posting to our discussions forum at https://securityonion.net/discuss. + +If you think you have found a possible bug or are observing a behavior that you weren't expecting, use the discussion forum at https://securityonion.net/discuss to start a conversation about it instead of creating an issue. + +If you are very familiar with the latest version of the product and are confident you have found a bug in Security Onion, you can continue with creating an issue here, but please make sure you have done the following: +- duplicated the issue on a fresh installation of the latest version +- provide information about your system and how you installed Security Onion +- include relevant log files +- include reproduction steps + +**Describe the bug** +A clear and concise description of what the bug is. + +**To Reproduce** +Steps to reproduce the behavior: +1. Go to '...' +2. Click on '....' +3. Scroll down to '....' +4. See error + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Additional context** +Add any other context about the problem here. From 3b6344e7f0163a4e27c71a7bd27eab1edbd61299 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 12:42:30 -0600 Subject: [PATCH 055/120] add back settings previously defined when overwritting logs-elastic_agent@package and logs-endpoint.diagnostics.collection@package --- salt/elasticsearch/defaults.yaml | 66 ++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 82a75bf6b..673739952 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1146,15 +1146,65 @@ elasticsearch: name: elastic_agent settings: index: + codec: best_compression lifecycle: name: so-logs-elastic_agent-logs mapping: total_fields: limit: 5000 + ignore_malformed: true number_of_replicas: 0 sort: field: '@timestamp' order: desc + query: + default_field: + - cloud.account.id + - cloud.availability_zone + - cloud.instance.id + - cloud.instance.name + - cloud.machine.type + - cloud.provider + - cloud.region + - cloud.project.id + - cloud.image.id + - container.id + - container.image.name + - container.name + - host.architecture + - host.hostname + - host.id + - host.mac + - host.name + - host.os.family + - host.os.kernel + - host.os.name + - host.os.platform + - host.os.version + - host.os.build + - host.os.codename + - host.type + - ecs.version + - agent.build.original + - agent.ephemeral_id + - agent.id + - agent.name + - agent.type + - agent.version + - log.level + - message + - elastic_agent.id + - elastic_agent.process + - elastic_agent.version + - component.id + - component.type + - component.binary + - component.state + - component.old_state + - unit.id + - unit.type + - unit.state + - unit.old_state policy: _meta: managed: true @@ -1988,15 +2038,31 @@ elasticsearch: template: settings: index: + codec: best_compression lifecycle: name: so-logs-endpoint.diagnostic.collection-logs mapping: total_fields: limit: 5000 + ignore_malformed: true number_of_replicas: 0 sort: field: '@timestamp' order: desc + query: + default_field: + - ecs.version + - event.action + - event.category + - event.code + - event.dataset + - event.hash + - event.id + - event.kind + - event.module + - event.outcome + - event.provider + - event.type policy: _meta: managed: true From df350b5a56464e4c628536c14270f8b67664e6a2 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 14:20:09 -0600 Subject: [PATCH 056/120] ES 8.17.2 --- salt/elasticsearch/defaults.yaml | 2 +- salt/kibana/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 673739952..c3957361a 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.1 + version: 8.17.2 index_clean: true config: action: diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index d0ba37e7b..a4be3787f 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.1" + discardCorruptObjects: "8.17.2" telemetry: enabled: False security: From 69b559fb26d9b35a906844579467352be98ec5da Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 20 Feb 2025 17:11:28 -0600 Subject: [PATCH 057/120] ES 8.17.2 pipeline version updates --- .../grid-nodes_general/import-evtx-logs.json | 2 +- ...nse.log-1.20.2 => logs-pfsense.log-1.21.0} | 28 +++++++++---------- ...icata => logs-pfsense.log-1.21.0-suricata} | 0 3 files changed, 15 insertions(+), 15 deletions(-) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.20.2 => logs-pfsense.log-1.21.0} (94%) rename salt/elasticsearch/files/ingest/{logs-pfsense.log-1.20.2-suricata => logs-pfsense.log-1.21.0-suricata} (100%) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index bef0bf931..bb79891b6 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.64.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.3.6\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.64.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.64.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.3.6\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.66.1\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.4.1\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.66.1\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.66.1\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.4.1\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0 similarity index 94% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0 index d12a03149..7c4f2575f 100644 --- a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2 +++ b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0 @@ -1,17 +1,17 @@ { "description": "Pipeline for PFsense", "_meta": { + "managed_by": "fleet", + "managed": true, "package": { "name": "pfsense" - }, - "managed_by": "fleet", - "managed": true + } }, "processors": [ { "set": { "field": "ecs.version", - "value": "8.11.0" + "value": "8.17.0" } }, { @@ -107,61 +107,61 @@ }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-firewall", + "name": "logs-pfsense.log-1.21.0-firewall", "if": "ctx.event.provider == 'filterlog'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-openvpn", + "name": "logs-pfsense.log-1.21.0-openvpn", "if": "ctx.event.provider == 'openvpn'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-ipsec", + "name": "logs-pfsense.log-1.21.0-ipsec", "if": "ctx.event.provider == 'charon'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-dhcp", + "name": "logs-pfsense.log-1.21.0-dhcp", "if": "[\"dhcpd\", \"dhclient\", \"dhcp6c\"].contains(ctx.event.provider)" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-unbound", + "name": "logs-pfsense.log-1.21.0-unbound", "if": "ctx.event.provider == 'unbound'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-haproxy", + "name": "logs-pfsense.log-1.21.0-haproxy", "if": "ctx.event.provider == 'haproxy'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-php-fpm", + "name": "logs-pfsense.log-1.21.0-php-fpm", "if": "ctx.event.provider == 'php-fpm'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-squid", + "name": "logs-pfsense.log-1.21.0-squid", "if": "ctx.event.provider == 'squid'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-snort", + "name": "logs-pfsense.log-1.21.0-snort", "if": "ctx.event.provider == 'snort'" } }, { "pipeline": { - "name": "logs-pfsense.log-1.20.2-suricata", + "name": "logs-pfsense.log-1.21.0-suricata", "if": "ctx.event.provider == 'suricata'" } }, diff --git a/salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata b/salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0-suricata similarity index 100% rename from salt/elasticsearch/files/ingest/logs-pfsense.log-1.20.2-suricata rename to salt/elasticsearch/files/ingest/logs-pfsense.log-1.21.0-suricata From 66a2ec7e2131a31325242fec493781eb6e13211f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 21 Feb 2025 08:38:40 -0500 Subject: [PATCH 058/120] ES upgrade errors to ignore --- salt/common/tools/sbin/so-log-check | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index 91417171c..b9bc76f9f 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -126,6 +126,7 @@ if [[ $EXCLUDE_STARTUP_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Unable to get license information" # Logstash trying to contact ES before it's ready EXCLUDED_ERRORS="$EXCLUDED_ERRORS|process already finished" # Telegraf script finished just as the auto kill timeout kicked in EXCLUDED_ERRORS="$EXCLUDED_ERRORS|No shard available" # Typical error when making a query before ES has finished loading all indices + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|responded with status-code 503" # telegraf getting 503 from ES during startup fi if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then @@ -152,6 +153,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|is not an ip string literal" # false positive (Open Canary logging out blank IP addresses) EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncing rule" # false positive (rule sync log line includes rule name which can contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized" # false positive (login failures to Hydra result in an 'error' log) + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error') fi if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then @@ -213,6 +215,7 @@ if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncErrors" # Detections: Not an actual error EXCLUDED_ERRORS="$EXCLUDED_ERRORS|Initialized license manager" # SOC log: before fields.status was changed to fields.licenseStatus EXCLUDED_ERRORS="$EXCLUDED_ERRORS|from NIC checksum offloading" # zeek reporter.log + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|marked for removal" # docker container getting recycled fi RESULT=0 From 22f3865602b79e9a7668553b52b2d6f121977f08 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 21 Feb 2025 09:32:36 -0500 Subject: [PATCH 059/120] Dont upgrade integrations during pre-phase --- salt/manager/tools/sbin/soup | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index f1b09280e..2db86ce9b 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -757,10 +757,6 @@ up_to_2.4.120() { mkdir -p /opt/so/saltstack/local/pillar/versionlock touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls - # New Grid Integration added this release - rm -f /opt/so/state/eaintegrations.txt - - INSTALLEDVERSION=2.4.120 } From c1282e77a00b59ff765fe93257aa8391b7521c02 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 21 Feb 2025 14:02:22 -0600 Subject: [PATCH 060/120] move removal of eaintegrations.txt to up_to_2.4.130 --- salt/manager/tools/sbin/soup | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 2db86ce9b..544eefc17 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -540,11 +540,6 @@ post_to_2.4.120() { } post_to_2.4.130() { - # Integrations policies need to be updated, along with ingest pipelines & index templates. - rm -f /opt/so/state/eaintegrations.txt /opt/so/state/espipelines.txt /opt/so/state/estemplates.txt - - # Sync the newly generated index templates for elasticfleet integrations - salt-call state.apply elasticsearch queue=True # Update kibana default space salt-call state.apply kibana.config queue=True @@ -765,6 +760,9 @@ up_to_2.4.130() { # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade + # Integrations policies need to be updated + rm -f /opt/so/state/eaintegrations.txt + INSTALLEDVERSION=2.4.130 } From 7155ccaf962ab99272f3533fbb2288f5f5a6fd6a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 21 Feb 2025 17:10:39 -0500 Subject: [PATCH 061/120] ensure override for nmcli exists in /etc --- salt/manager/tools/sbin/soup | 3 +++ setup/so-functions | 15 ++++++--------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 544eefc17..5da116e05 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -763,6 +763,9 @@ up_to_2.4.130() { # Integrations policies need to be updated rm -f /opt/so/state/eaintegrations.txt + # Ensure override exists to allow nmcli access to other devices + touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf + INSTALLEDVERSION=2.4.130 } diff --git a/setup/so-functions b/setup/so-functions index fa7e8a043..5c4da25ba 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -167,17 +167,14 @@ check_manager_connection() { } check_network_manager_conf() { - local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" - local nmconf="/etc/NetworkManager/NetworkManager.conf" + local gmdconf="/etc/NetworkManager/conf.d/10-globally-managed-devices.conf" local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d" - if test -f "$gmdconf" && ! test -f "${gmdconf}.bak"; then - { - mv "$gmdconf" "${gmdconf}.bak" - touch "$gmdconf" - systemctl restart NetworkManager - } >> "$setup_log" 2>&1 - fi + { + [[ -f $gmdconf ]] && mv "$gmdconf" "${gmdconf}.bak" + touch "$gmdconf" + systemctl restart NetworkManager + } >> "$setup_log" 2>&1 if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> "$setup_log" 2>&1 From 6d0350793db4fe29d879036f122da6453147b0aa Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Sun, 23 Feb 2025 14:02:17 -0500 Subject: [PATCH 062/120] Remove old defend json --- salt/manager/tools/sbin/soup | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 5da116e05..27123c660 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -533,9 +533,6 @@ post_to_2.4.120() { # Manually rollover suricata alerts index to ensure data_stream.dataset expected mapping is set to 'suricata' rollover_index "logs-suricata.alerts-so" - echo "Regenerating Elastic Agent Installers" - /sbin/so-elastic-agent-gen-installers - POSTVERSION=2.4.120 } @@ -546,6 +543,9 @@ post_to_2.4.130() { echo "Updating Kibana default space" /usr/sbin/so-kibana-space-defaults + echo "Regenerating Elastic Agent Installers" + /sbin/so-elastic-agent-gen-installers + POSTVERSION=2.4.130 } @@ -757,12 +757,12 @@ up_to_2.4.120() { } up_to_2.4.130() { + # Remove any old Elastic Defend config files + rm -f /opt/so/conf/elastic-fleet/integrations/endpoints-initial/elastic-defend-endpoints.json + # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade - # Integrations policies need to be updated - rm -f /opt/so/state/eaintegrations.txt - # Ensure override exists to allow nmcli access to other devices touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf From 3f2b0973af3aeb86d8adae58ea2a49d013b0e71d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 08:59:59 -0600 Subject: [PATCH 063/120] manually create unused logs-soc@package for successful elasticsearch templates load --- .../component/elastic-agent/logs-soc@package.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json new file mode 100644 index 000000000..bf3c4f649 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json @@ -0,0 +1,7 @@ +{ + "package": { + "name": "log" + }, + "managed_by": "fleet", + "managed": true +} \ No newline at end of file From d7c06e5ff4622b5c370baacd4f20b3baf06d6d0b Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 09:02:56 -0600 Subject: [PATCH 064/120] run elasticsearch state, right before completing soup to ensure templates for optional integrations are loaded --- salt/manager/tools/sbin/soup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 27123c660..a6c9b7693 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -537,6 +537,10 @@ post_to_2.4.120() { } post_to_2.4.130() { + # Optional integrations are loaded AFTER initial successful load of core ES templates (/opt/so/state/estemplates.txt) + # Dynamic templates are created in elasticsearch.enabled for every optional integration based on output of so-elastic-fleet-optional-integrations-load script + echo "Ensuring Elasticsearch templates are up to date after updating package registry" + salt-call state.apply elasticsearch queue=True # Update kibana default space salt-call state.apply kibana.config queue=True From e2772e899e8d53d48f070242f008eb565a47509d Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 10:24:11 -0600 Subject: [PATCH 065/120] component template missing metadata field --- .../templates/component/elastic-agent/logs-soc@package.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json index bf3c4f649..a2ad15b79 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-soc@package.json @@ -1,7 +1,10 @@ { + "template": {}, + "_meta": { "package": { "name": "log" }, "managed_by": "fleet", "managed": true + } } \ No newline at end of file From 17edc06987b70add37fa5408b8dc1790f1a29efb Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 24 Feb 2025 14:45:43 -0600 Subject: [PATCH 066/120] allow installing integrations that require an elastic license --- ...o-elastic-fleet-optional-integrations-load | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) rename salt/elasticfleet/tools/{sbin => sbin_jinja}/so-elastic-fleet-optional-integrations-load (80%) diff --git a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load similarity index 80% rename from salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load rename to salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load index dface5a72..f97ed577b 100644 --- a/salt/elasticfleet/tools/sbin/so-elastic-fleet-optional-integrations-load +++ b/salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-optional-integrations-load @@ -3,6 +3,7 @@ # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use # this file except in compliance with the Elastic License 2.0. +{% set SUB = salt['pillar.get']('elasticfleet:config:subscription_integrations', default=false) %} . /usr/sbin/so-common . /usr/sbin/so-elastic-fleet-common @@ -16,7 +17,6 @@ BULK_INSTALL_PACKAGE_TMP=/tmp/esfleet_bulk_install_tmp.json BULK_INSTALL_OUTPUT=/opt/so/state/esfleet_bulk_install_results.json PACKAGE_COMPONENTS=/opt/so/state/esfleet_package_components.json -SKIP_SUBSCRIPTION=true PENDING_UPDATE=false # Integrations which are included in the package registry, but excluded from automatic installation via this script. @@ -63,7 +63,8 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then bulk_package=$(echo "$package" | jq '{name: .name, version: .latest_version}' ) if [[ ! "${EXCLUDED_INTEGRATIONS[@]}" =~ "$package_name" ]]; then - if $SKIP_SUBSCRIPTION && [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then + {% if not SUB %} + if [[ "$subscription" != "basic" && "$subscription" != "null" && -n "$subscription" ]]; then # pass over integrations that require non-basic elastic license echo "$package_name integration requires an Elastic license of $subscription or greater... skipping" continue @@ -83,6 +84,20 @@ if [[ -f $STATE_FILE_SUCCESS ]]; then fi fi fi + {% else %} + if [[ "$installed_version" == "null" || -z "$installed_version" ]]; then + echo "$package_name is not installed... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + else + results=$(compare_versions "$latest_version" "$installed_version") + if [ $results == "greater" ]; then + echo "$package_name is at version $installed_version latest version is $latest_version... Adding to next update." + jq --argjson package "$bulk_package" '.packages += [$package]' $BULK_INSTALL_PACKAGE_LIST > $BULK_INSTALL_PACKAGE_TMP && mv $BULK_INSTALL_PACKAGE_TMP $BULK_INSTALL_PACKAGE_LIST + PENDING_UPDATE=true + fi + fi + {% endif %} else echo "Skipping $package_name..." fi From 9dafa062f8b600f6eaf90411d34b137d50715159 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 25 Feb 2025 17:00:41 -0500 Subject: [PATCH 067/120] annotation/config updates --- salt/hydra/soc_hydra.yaml | 1 + salt/sensoroni/files/sensoroni.json | 1 + salt/soc/soc_soc.yaml | 6 +++++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/salt/hydra/soc_hydra.yaml b/salt/hydra/soc_hydra.yaml index 1e33f00ea..40e07ab1b 100644 --- a/salt/hydra/soc_hydra.yaml +++ b/salt/hydra/soc_hydra.yaml @@ -2,6 +2,7 @@ hydra: enabled: description: Enables or disables the API authentication system, used for service account authentication. Enabling this feature requires a valid Security Onion license key. Defaults to False. helpLink: connect.html + global: True config: ttl: access_token: diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 547e52ada..917498ba1 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -8,6 +8,7 @@ "role": "{{ GLOBALS.role }}", "description": {{ SENSORONIMERGED.config.node_description | tojson }}, "address": "{{ GLOBALS.node_ip }}", + "mgmtNic": "{{ GLOBALS.main_interface }}", "model": "{{ GLOBALS.so_model }}", "pollIntervalMs": {{ SENSORONIMERGED.config.node_checkin_interval_ms }}, "serverUrl": "https://{{ GLOBALS.url_base }}/sensoroniagents", diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 8d6bab06b..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -54,7 +54,11 @@ soc: title: Log Level description: The SOC log level, useful for enabling debug logging for advanced troubleshooting. Allowed values are debug, info, warn, error. The SOC log is available at /opt/so/log/soc/sensoroni-server.log. global: True - regex: ^(info|debug|warn|error)$ + options: + - info + - debug + - warn + - error actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True From 80fed1e0451a4941e9ed47b2d43ebc8ec6fa9034 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 25 Feb 2025 21:47:56 -0600 Subject: [PATCH 068/120] default capinfos to use start/end time arg --- salt/common/tools/sbin_jinja/so-import-pcap | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin_jinja/so-import-pcap b/salt/common/tools/sbin_jinja/so-import-pcap index d3886305e..5f2370a4a 100755 --- a/salt/common/tools/sbin_jinja/so-import-pcap +++ b/salt/common/tools/sbin_jinja/so-import-pcap @@ -63,7 +63,7 @@ function status { function pcapinfo() { PCAP=$1 ARGS=$2 - docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap $ARGS + docker run --rm -v "$PCAP:/input.pcap" --entrypoint capinfos {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-pcaptools:{{ VERSION }} /input.pcap -ae $ARGS } function pcapfix() { From a5ae481ea4db1a9cf2e5ea22142bb5b5eb61b4a0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:10:57 -0500 Subject: [PATCH 069/120] globals --- salt/global/soc_global.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/global/soc_global.yaml b/salt/global/soc_global.yaml index 5a349a3c3..15cae92b3 100644 --- a/salt/global/soc_global.yaml +++ b/salt/global/soc_global.yaml @@ -12,11 +12,18 @@ global: mdengine: description: Which engine to use for meta data generation. Options are ZEEK and SURICATA. regex: ^(ZEEK|SURICATA)$ + options: + - ZEEK + - SURICATA regexFailureMessage: You must enter either ZEEK or SURICATA. global: True pcapengine: description: Which engine to use for generating pcap. Options are STENO, SURICATA or TRANSITION. regex: ^(STENO|SURICATA|TRANSITION)$ + options: + - STENO + - SURICATA + - TRANSITION regexFailureMessage: You must enter either STENO, SURICATA or TRANSITION. global: True ids: @@ -38,6 +45,9 @@ global: pipeline: description: Sets which pipeline technology for events to use. Currently only Redis is fully supported. Kafka is experimental and requires a Security Onion Pro license. regex: ^(REDIS|KAFKA)$ + options: + - REDIS + - KAFKA regexFailureMessage: You must enter either REDIS or KAFKA. global: True advanced: True From ee1af39c556a7c31c4ef36b1555c3ff1bb4aa2ec Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:17:08 -0500 Subject: [PATCH 070/120] elastalert --- salt/elastalert/soc_elastalert.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 764ec87fc..2ce04307b 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,5 +1,6 @@ elastalert: enabled: + forcedType: bool description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: From 6fec2170689683002a50d712d61b85118468b26f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:34:32 -0500 Subject: [PATCH 071/120] actions --- .../soc_elastic-fleet-package-registry.yaml | 1 + salt/elasticagent/soc_elasticagent.yaml | 1 + salt/elasticfleet/soc_elasticfleet.yaml | 1 + salt/soc/soc_soc.yaml | 7 +++++++ 4 files changed, 10 insertions(+) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 3d8a2112b..4a544fbc6 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,5 @@ elastic_fleet_package_registry: enabled: + forcedType: bool description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index a24ac1985..4632ae946 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,4 +1,5 @@ elasticagent: enabled: + forcedType: bool description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. advanced: True diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 7ca59401f..8ec558d37 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,6 +3,7 @@ elasticfleet: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True helpLink: elastic-fleet.html + forcedType: bool enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..332662c09 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,13 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 2bc2e86b01ec2589a5343e0457798cc30b2706fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:36:16 -0500 Subject: [PATCH 072/120] actions --- salt/soc/soc_soc.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 332662c09..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -64,12 +64,12 @@ soc: global: True forcedType: "[]{}" uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 6d7e0a7a72df924e637ae7f18338b4a6723384bd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:39:18 -0500 Subject: [PATCH 073/120] sensoroni --- salt/sensoroni/soc_sensoroni.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 71a2c779b..325abf326 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,5 +1,6 @@ sensoroni: enabled: + forcedType: bool description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html From c5e0b8a42e352f74ab319bfb23167e2ce9513c73 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:40:24 -0500 Subject: [PATCH 074/120] sensoroni --- salt/soc/soc_soc.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,13 +63,6 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 101f6e744a1abed43218146124633896c6e1df87 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:44:35 -0500 Subject: [PATCH 075/120] sensoroni --- salt/soc/soc_soc.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,13 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 0c2797ecdc81235e2b4f2c8ed3b34cf195692ba4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 13:49:30 -0500 Subject: [PATCH 076/120] soc --- salt/soc/soc_soc.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..338356c05 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -62,6 +62,7 @@ soc: actions: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True + syntax: json forcedType: "[]{}" uiElements: - field: description From 25217c3262e14f7feb85344f7719a8233f331fc8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 14:14:25 -0500 Subject: [PATCH 077/120] soc --- salt/soc/soc_soc.yaml | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 338356c05..ec6177b65 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. global: True syntax: json forcedType: "[]{}" @@ -265,6 +265,14 @@ soc: global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: community + label: Community + - field: license + label: License + - field: repo + label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -381,6 +389,15 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html + syntax: json + uiElements: + - field: community + label: Community + - field: license + label: License + - field: repo + label: Repo + helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -473,10 +490,18 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. + description: List of available external tools visible in the SOC UI. global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: link + label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -503,11 +528,25 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Name + - field: query + label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" + syntax: json + uiElements: + - field: enabled + label: Enabled + - field: filter + label: Filter + - field: name + label: Name alerts: <<: *appSettings maxBulkEscalateEvents: From 8bc500e4daa0e1c0cca94eca3e7e9b9929c033cb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 14:16:42 -0500 Subject: [PATCH 078/120] soc --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ec6177b65..103d13d6e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -525,7 +525,7 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. + description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. global: True forcedType: "[]{}" syntax: json From 6c00cdd726f7742f64eb22891570a22aeadeefd0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 26 Feb 2025 16:15:00 -0500 Subject: [PATCH 079/120] Fix healthlink --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 103d13d6e..6b00d512b 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -397,7 +397,7 @@ soc: label: License - field: repo label: Repo - helpLink: sigma.html + helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: From 772aa7379f6073ef638efe855ad62dac1b2c1927 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 27 Feb 2025 07:55:22 -0500 Subject: [PATCH 080/120] more false positives --- salt/common/tools/sbin/so-log-check | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-log-check b/salt/common/tools/sbin/so-log-check index b9bc76f9f..44e8360e2 100755 --- a/salt/common/tools/sbin/so-log-check +++ b/salt/common/tools/sbin/so-log-check @@ -154,6 +154,7 @@ if [[ $EXCLUDE_FALSE_POSITIVE_ERRORS == 'Y' ]]; then EXCLUDED_ERRORS="$EXCLUDED_ERRORS|syncing rule" # false positive (rule sync log line includes rule name which can contain 'error') EXCLUDED_ERRORS="$EXCLUDED_ERRORS|request_unauthorized" # false positive (login failures to Hydra result in an 'error' log) EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding index lifecycle policy" # false positive (elasticsearch policy names contain 'error') + EXCLUDED_ERRORS="$EXCLUDED_ERRORS|adding ingest pipeline" # false positive (elasticsearch ingest pipeline names contain 'error') fi if [[ $EXCLUDE_KNOWN_ERRORS == 'Y' ]]; then From 3ba82bd5a47d3a71ca188db2b8e135698f33455e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:04:47 -0500 Subject: [PATCH 081/120] Fix actions --- salt/soc/soc_soc.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 6b00d512b..d061dd65e 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -65,12 +65,19 @@ soc: syntax: json forcedType: "[]{}" uiElements: + - field: name + label: Name + required: True - field: description label: Description - field: icon label: Icon - field: links label: Links + multiline: True + required: True + - field: target + label: Target (_blank, _self, mynewtab) eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From d950e4ebb3136abfb5af3785741dcbc71c1ee0f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:11:56 -0500 Subject: [PATCH 082/120] Add additional entries for actions --- salt/soc/soc_soc.yaml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d061dd65e..73ed72f2a 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. global: True syntax: json forcedType: "[]{}" @@ -75,9 +75,13 @@ soc: - field: links label: Links multiline: True - required: True + - field: jsCall + label: JavaScript Function - field: target - label: Target (_blank, _self, mynewtab) + label: Target (_blank, _self, mynewtab) + - field: categories + label: Categories + multiline: True eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 1d3bae4a7acbf10a90074c5a382a52d3fc0dfd78 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:15:51 -0500 Subject: [PATCH 083/120] Add additional entries for actions --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 73ed72f2a..d8a00bbfd 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -81,7 +81,8 @@ soc: label: Target (_blank, _self, mynewtab) - field: categories label: Categories - multiline: True + multiline: True + forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From e930d1dec62cd57a0615a8973b92e01ace0636d1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:28:06 -0500 Subject: [PATCH 084/120] roll back SOC changes --- salt/soc/soc_soc.yaml | 58 +++---------------------------------------- 1 file changed, 3 insertions(+), 55 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d8a00bbfd..fc336a2df 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,29 +60,16 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. JavaScript Function or Links must be specified. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True - syntax: json forcedType: "[]{}" uiElements: - - field: name - label: Name - required: True - field: description label: Description - field: icon label: Icon - field: links label: Links - multiline: True - - field: jsCall - label: JavaScript Function - - field: target - label: Target (_blank, _self, mynewtab) - - field: categories - label: Categories - multiline: True - forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. @@ -277,14 +264,6 @@ soc: global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo helpLink: sigma.html airgap: *eerulesRepos sigmaRulePackages: @@ -401,15 +380,6 @@ soc: advanced: True forcedType: "[]{}" helpLink: yara.html - syntax: json - uiElements: - - field: community - label: Community - - field: license - label: License - - field: repo - label: Repo - helpLink: sigma.html airgap: *serulesRepos suricataengine: aiRepoUrl: @@ -502,18 +472,10 @@ soc: description: List of external tools to remove from the SOC UI. global: True tools: - description: List of available external tools visible in the SOC UI. + description: List of available external tools visible in the SOC UI. Each tool is defined in JSON object notation, and must include the "name" key and "link" key, where the link is the tool's URL. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: link - label: Link hunt: &appSettings groupItemsPerPage: description: Default number of aggregations to show per page. Larger values consume more vertical area in the SOC UI. @@ -537,28 +499,14 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. All entries must include the "name" key and "query" key. + description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - - field: query - label: Query queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True advanced: True forcedType: "[]{}" - syntax: json - uiElements: - - field: enabled - label: Enabled - - field: filter - label: Filter - - field: name - label: Name alerts: <<: *appSettings maxBulkEscalateEvents: From 9d31050907a03efbc535cd3ba84c7d916c47f611 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:32:59 -0500 Subject: [PATCH 085/120] roll back SOC changes --- salt/soc/soc_soc.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fc336a2df..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,13 +63,6 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" - uiElements: - - field: description - label: Description - - field: icon - label: Icon - - field: links - label: Links eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 4b5048bd804addddcaf017ee1cb16bf3afb45f84 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 11:57:57 -0500 Subject: [PATCH 086/120] Add hunt queries --- salt/soc/soc_soc.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..ff2a0a4ad 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,6 +495,18 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + uiElements: + - field: name + label: Name + required: True + - field: description + label: Description + - field: query + label: Query + required: True + - field: showSubtitle + label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 40303c2d7816801062b2158799a07c4824a1d31d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:10:59 -0500 Subject: [PATCH 087/120] Add hunt queries --- salt/soc/soc_soc.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index ff2a0a4ad..87d3c0ab5 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -506,7 +506,6 @@ soc: required: True - field: showSubtitle label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 1fdbe987b8371a040067a2a565fa30cae4354ff0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:15:37 -0500 Subject: [PATCH 088/120] Add hunt queries --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 87d3c0ab5..7566d99af 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -494,7 +494,7 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True - forcedType: "[]{}" + forcedType: json uiElements: - field: name label: Name @@ -506,6 +506,7 @@ soc: required: True - field: showSubtitle label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From a0944f83593f2738d4a05b286c71fce8eb326239 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:17:57 -0500 Subject: [PATCH 089/120] Add hunt queries --- salt/soc/soc_soc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7566d99af..b4f724b38 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -494,7 +494,8 @@ soc: queries: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True - forcedType: json + forcedType: "[]{}" + syntax: json uiElements: - field: name label: Name From 4696152f7860212f358a7e3fa95dea100ae0836a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:31:51 -0500 Subject: [PATCH 090/120] Add hunt queries --- salt/soc/soc_soc.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b4f724b38..d7fcd9644 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,19 +495,6 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" - syntax: json - uiElements: - - field: name - label: Name - required: True - - field: description - label: Description - - field: query - label: Query - required: True - - field: showSubtitle - label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 2ffaf2f6019f1cd88e363353d95c8ac6e489e385 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 27 Feb 2025 12:42:03 -0500 Subject: [PATCH 091/120] Add hunt queries --- salt/soc/soc_soc.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index d7fcd9644..fef5ce382 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -495,6 +495,16 @@ soc: description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: name + label: Name + required: True + - field: description + label: Description + - field: query + label: Query + required: True queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 9bc64bf4537bbc096dbca45da00308a92dc3273f Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Thu, 27 Feb 2025 16:48:07 -0600 Subject: [PATCH 092/120] managed int multiline input --- salt/elasticsearch/soc_elasticsearch.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index adce41bff..47013e48f 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -80,6 +80,7 @@ elasticsearch: managed_integrations: description: List of integrations to add into SOC config UI. Enter the full or partial integration name. Eg. 1password, 1pass forcedType: "[]string" + multiline: True global: True advanced: True helpLink: elasticsearch.html From e53f4fd1f1d089414f4317159689878bb55d6299 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Sun, 2 Mar 2025 05:54:30 -0500 Subject: [PATCH 093/120] Update defaults.yaml to quote the process.entity_id value --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index b97ba11e6..665b4106b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -83,7 +83,7 @@ soc: icon: fa-users-between-lines target: '' links: - - '/#/hunt?q=({:process.entity_id}) | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' + - '/#/hunt?q="{:process.entity_id}" | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path' - name: actionProcessAncestors description: actionProcessAncestorsHelp icon: fa-people-roof From 4bd83f8983aa7ae4b7e0df29a3da74e3e9ae38d6 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Mon, 3 Mar 2025 10:48:06 -0600 Subject: [PATCH 094/120] zeek traceroute & ntp Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/files/ingest/zeek.ntp | 16 ++++++++++++++++ salt/elasticsearch/files/ingest/zeek.traceroute | 10 ++++++++++ 2 files changed, 26 insertions(+) create mode 100644 salt/elasticsearch/files/ingest/zeek.ntp create mode 100644 salt/elasticsearch/files/ingest/zeek.traceroute diff --git a/salt/elasticsearch/files/ingest/zeek.ntp b/salt/elasticsearch/files/ingest/zeek.ntp new file mode 100644 index 000000000..6c500c770 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.ntp @@ -0,0 +1,16 @@ +{ + "description" : "zeek.ntp", + "processors":[ + {"set": {"field":"event.dataset", "value":"ntp", "ignore_failure":true}}, + {"json": {"field":"message", "target_field":"message2", "ignore_failure":true}}, + {"rename": {"field":"message2.version", "target_field":"ntp.version", "ignore_missing":true}}, + {"rename": {"field":"message2.mode", "target_field":"ntp.mode", "ignore_missing":true}}, + {"rename": {"field":"message2.poll", "target_field":"ntp.poll", "ignore_missing":true}}, + {"rename": {"field":"message2.precision", "target_field":"ntp.precision", "ignore_missing":true}}, + {"rename": {"field":"message2.org_time", "target_field":"ntp.org_time", "ignore_missing":true}}, + {"rename": {"field":"message2.xmt_time", "target_field":"ntp.xmt_time", "ignore_missing":true}}, + {"date": {"field":"ntp.org_time", "target_field":"ntp.org_time", "formats":["UNIX", "UNIX_MS"], "ignore_failure": true, "if":"ctx?.ntp?.org_time != null"}}, + {"date": {"field":"ntp.xmt_time", "target_field":"ntp.xmt_time", "formats":["UNIX", "UNIX_MS"], "ignore_failure": true, "if":"ctx?.ntp?.xmt_time != null"}}, + {"pipeline":{"name":"zeek.common"}} + ] +} diff --git a/salt/elasticsearch/files/ingest/zeek.traceroute b/salt/elasticsearch/files/ingest/zeek.traceroute new file mode 100644 index 000000000..f34f58cb0 --- /dev/null +++ b/salt/elasticsearch/files/ingest/zeek.traceroute @@ -0,0 +1,10 @@ +{ + "description":"zeek.traceroute", + "processors":[ + {"set": {"field":"event.dataset", "value":"traceroute" }}, + {"json": {"field":"message", "target_field":"message2" }}, + {"rename": {"field":"message2.src", "target_field":"source.ip", "ignore_missing":true,"ignore_failure":true}}, + {"rename": {"field":"message2.dst", "target_field":"destination.ip", "ignore_missing":true,"ignore_failure":true}}, + {"pipeline": {"name":"zeek.common"}} + ] +} From 44535cba8c0403ed3797a98d5d4ab8d1e28b873b Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Tue, 4 Mar 2025 06:46:56 -0500 Subject: [PATCH 095/120] FIX: Elastic Agent Security Events dashboard should reference user.effective.name #14325 --- salt/soc/defaults.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 665b4106b..962d1096b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1256,7 +1256,7 @@ soc: - soc_timestamp - event.dataset - host.name - - user.name + - user.effective.name - process.executable - event.action - event.outcome @@ -1918,7 +1918,7 @@ soc: query: 'event.dataset:endpoint.events.registry | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby registry.path' - name: Elastic Agent Security Events description: Security events from Elastic Agents - query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome' + query: 'event.dataset:endpoint.events.security | groupby host.name | groupby -sankey host.name user.effective.name | groupby user.effective.name | groupby -sankey user.effective.name process.executable | groupby process.executable | groupby event.action | groupby event.outcome' - name: Host Overview description: Overview of all host data types query: '((event.category:registry OR event.category:host OR event.category:process OR event.category:driver OR event.category:configuration) OR (event.category:file AND _exists_:process.executable) OR (event.category:network AND _exists_:host.name)) | groupby event.dataset* event.category* event.action* | groupby event.type | groupby -sankey event.type host.name | groupby host.name | groupby user.name | groupby file.name | groupby process.executable' From e1c8bee71abd2b975b666a22be70f7562796bcdb Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 4 Mar 2025 08:58:41 -0600 Subject: [PATCH 096/120] install bc package --- salt/common/packages.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index c5d2729fd..86bad228a 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -27,6 +27,7 @@ commonpkgs: - vim - tar - unzip + - bc {% if grains.oscodename != 'focal' %} - python3-rich {% endif %} @@ -56,6 +57,7 @@ commonpkgs: - skip_suggestions: True - pkgs: - python3-dnf-plugin-versionlock + - bc - curl - device-mapper-persistent-data - fuse From 0047246cf279292368546b85f85a949c041d0e96 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 4 Mar 2025 10:55:12 -0500 Subject: [PATCH 097/120] reduce stdout verbosity --- salt/common/init.sls | 2 ++ salt/common/tools/sbin/so-common | 2 +- salt/elasticfleet/config.sls | 4 ++++ salt/elasticsearch/config.sls | 8 ++++++++ salt/elasticsearch/enabled.sls | 3 +++ salt/influxdb/config.sls | 1 + salt/kibana/tools/sbin_jinja/so-kibana-config-load | 4 ++-- salt/manager/init.sls | 4 ++++ salt/manager/tools/sbin/soup | 14 +++++++------- salt/nginx/enabled.sls | 1 + salt/sensoroni/config.sls | 1 + salt/soc/config.sls | 2 ++ 12 files changed, 36 insertions(+), 10 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index f385bd96d..d4d90cbed 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -128,6 +128,7 @@ common_sbin: - user: 939 - group: 939 - file_mode: 755 + - show_changes: False common_sbin_jinja: file.recurse: @@ -137,6 +138,7 @@ common_sbin_jinja: - group: 939 - file_mode: 755 - template: jinja + - show_changes: False {% if not GLOBALS.is_manager%} # prior to 2.4.50 these scripts were in common/tools/sbin on the manager because of soup and distributed to non managers diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 6ae35324f..e46eaac69 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -226,7 +226,7 @@ create_local_directories() { for d in $(find $PILLARSALTDIR/$i -type d); do suffixdir=${d//$PILLARSALTDIR/} if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -pv $local_salt_dir$suffixdir + mkdir -p $local_salt_dir$suffixdir fi done chown -R socore:socore $local_salt_dir/$i diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 208fa2306..ef921b404 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -30,6 +30,7 @@ elasticfleet_sbin: - user: 947 - group: 939 - file_mode: 755 + - show_changes: False elasticfleet_sbin_jinja: file.recurse: @@ -41,6 +42,7 @@ elasticfleet_sbin_jinja: - template: jinja - exclude_pat: - so-elastic-fleet-package-upgrade # exclude this because we need to watch it for changes + - show_changes: False eaconfdir: file.directory: @@ -145,6 +147,7 @@ eadynamicintegration: - user: 947 - group: 939 - template: jinja + - show_changes: False eaintegration: file.recurse: @@ -152,6 +155,7 @@ eaintegration: - source: salt://elasticfleet/files/integrations - user: 947 - group: 939 + - show_changes: False eaoptionalintegrationsdir: file.directory: diff --git a/salt/elasticsearch/config.sls b/salt/elasticsearch/config.sls index a3dd189ad..147975bb1 100644 --- a/salt/elasticsearch/config.sls +++ b/salt/elasticsearch/config.sls @@ -47,6 +47,7 @@ elasticsearch_sbin: - file_mode: 755 - exclude_pat: - so-elasticsearch-pipelines # exclude this because we need to watch it for changes, we sync it in another state + - show_changes: False elasticsearch_sbin_jinja: file.recurse: @@ -60,6 +61,7 @@ elasticsearch_sbin_jinja: - so-elasticsearch-ilm-policy-load # exclude this because we need to watch it for changes, we sync it in another state - defaults: GLOBALS: {{ GLOBALS }} + - show_changes: False so-elasticsearch-ilm-policy-load-script: file.managed: @@ -69,6 +71,7 @@ so-elasticsearch-ilm-policy-load-script: - group: 939 - mode: 754 - template: jinja + - show_changes: False so-elasticsearch-pipelines-script: file.managed: @@ -77,6 +80,7 @@ so-elasticsearch-pipelines-script: - user: 930 - group: 939 - mode: 754 + - show_changes: False esingestdir: file.directory: @@ -110,6 +114,7 @@ esingestdynamicconf: - user: 930 - group: 939 - template: jinja + - show_changes: False esingestconf: file.recurse: @@ -117,6 +122,7 @@ esingestconf: - source: salt://elasticsearch/files/ingest - user: 930 - group: 939 + - show_changes: False # Remove .fleet_final_pipeline-1 because we are using global@custom now so-fleet-final-pipeline-remove: @@ -153,6 +159,7 @@ esyml: - defaults: ESCONFIG: {{ ELASTICSEARCHMERGED.config }} - template: jinja + - show_changes: False esroles: file.recurse: @@ -162,6 +169,7 @@ esroles: - template: jinja - user: 930 - group: 939 + - show_changes: False nsmesdir: file.directory: diff --git a/salt/elasticsearch/enabled.sls b/salt/elasticsearch/enabled.sls index e1629fade..af162d9e9 100644 --- a/salt/elasticsearch/enabled.sls +++ b/salt/elasticsearch/enabled.sls @@ -116,6 +116,7 @@ escomponenttemplates: - clean: True - onchanges_in: - file: so-elasticsearch-templates-reload + - show_changes: False # Auto-generate templates from defaults file {% for index, settings in ES_INDEX_SETTINGS.items() %} @@ -127,6 +128,7 @@ es_index_template_{{index}}: - defaults: TEMPLATE_CONFIG: {{ settings.index_template }} - template: jinja + - show_changes: False - onchanges_in: - file: so-elasticsearch-templates-reload {% endif %} @@ -146,6 +148,7 @@ es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}: {% endif %} - user: 930 - group: 939 + - show_changes: False - onchanges_in: - file: so-elasticsearch-templates-reload {% endfor %} diff --git a/salt/influxdb/config.sls b/salt/influxdb/config.sls index 66c681a0d..0f315666a 100644 --- a/salt/influxdb/config.sls +++ b/salt/influxdb/config.sls @@ -85,6 +85,7 @@ influxdb-templates: - clean: True - defaults: INFLUXMERGED: {{ INFLUXMERGED }} + - show_changes: False influxdb_curl_config: file.managed: diff --git a/salt/kibana/tools/sbin_jinja/so-kibana-config-load b/salt/kibana/tools/sbin_jinja/so-kibana-config-load index 921416790..47830c103 100644 --- a/salt/kibana/tools/sbin_jinja/so-kibana-config-load +++ b/salt/kibana/tools/sbin_jinja/so-kibana-config-load @@ -47,7 +47,7 @@ import() { # Load saved objects RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X POST "localhost:5601/api/saved_objects/_import?overwrite=true" -H "kbn-xsrf: true" --form file=@"$ndjson_file") - echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi + if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi if [[ "$RETURN_CODE" != "1" ]]; then touch /opt/so/state/kibana_$BASENAME.txt @@ -66,7 +66,7 @@ update() { IFS=$'\r\n' GLOBIGNORE='*' command eval 'LINES=($(cat $1))' for i in "${LINES[@]}"; do RESPONSE=$(curl -K /opt/so/conf/elasticsearch/curl.config -X PUT "localhost:5601/api/saved_objects/config/{{ELASTICSEARCHDEFAULTS.elasticsearch.version}}" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d " $i ") - echo $RESPONSE; if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi + if [[ "$RESPONSE" != *"\"success\":true"* ]] && [[ "$RESPONSE" != *"updated_at"* ]] ; then RETURN_CODE=1;fi done if [[ "$RETURN_CODE" != "1" ]]; then diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 8de5d097a..5eadead92 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -66,6 +66,7 @@ repo_dir: - recurse: - user - group + - show_changes: False manager_sbin: file.recurse: @@ -76,6 +77,7 @@ manager_sbin: - file_mode: 755 - exclude_pat: - "*_test.py" + - show_changes: False manager_sbin_jinja: file.recurse: @@ -85,6 +87,7 @@ manager_sbin_jinja: - group: socore - file_mode: 755 - template: jinja + - show_changes: False so-repo-file: file.managed: @@ -92,6 +95,7 @@ so-repo-file: - source: salt://manager/files/repodownload.conf - user: socore - group: socore + - show_changes: False so-repo-mirrorlist: file.managed: diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 5da116e05..d44ca5fa7 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -166,7 +166,7 @@ airgap_update_dockers() { docker stop so-dockerregistry docker rm so-dockerregistry echo "Copying the new dockers over" - tar xvf "$AGDOCKER/registry.tar" -C /nsm/docker-registry/docker + tar xf "$AGDOCKER/registry.tar" -C /nsm/docker-registry/docker echo "Add Registry back" docker load -i "$AGDOCKER/registry_image.tar" fi @@ -998,21 +998,21 @@ unmount_update() { update_airgap_rules() { # Copy the rules over to update them for airgap. - rsync -av $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/ - rsync -av $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/ - rsync -av $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/ + rsync -a $UPDATE_DIR/agrules/suricata/* /nsm/rules/suricata/ + rsync -a $UPDATE_DIR/agrules/detect-sigma/* /nsm/rules/detect-sigma/ + rsync -a $UPDATE_DIR/agrules/detect-yara/* /nsm/rules/detect-yara/ # Copy the securityonion-resorces repo over for SOC Detection Summaries and checkout the published summaries branch - rsync -av --delete --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos + rsync -a --delete --chown=socore:socore $UPDATE_DIR/agrules/securityonion-resources /opt/so/conf/soc/ai_summary_repos git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published # Copy the securityonion-resorces repo over to nsm - rsync -av $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/ + rsync -a $UPDATE_DIR/agrules/securityonion-resources/* /nsm/securityonion-resources/ } update_airgap_repo() { # Update the files in the repo echo "Syncing new updates to /nsm/repo" - rsync -av $AGREPO/* /nsm/repo/ + rsync -a $AGREPO/* /nsm/repo/ echo "Creating repo" dnf -y install yum-utils createrepo_c createrepo /nsm/repo diff --git a/salt/nginx/enabled.sls b/salt/nginx/enabled.sls index 8140aaa9f..e2bcef863 100644 --- a/salt/nginx/enabled.sls +++ b/salt/nginx/enabled.sls @@ -91,6 +91,7 @@ make-rule-dir-nginx: - recurse: - user - group + - show_changes: False {% endif %} diff --git a/salt/sensoroni/config.sls b/salt/sensoroni/config.sls index 0024ca962..f983fce38 100644 --- a/salt/sensoroni/config.sls +++ b/salt/sensoroni/config.sls @@ -41,6 +41,7 @@ analyzerscripts: - file_mode: 755 - template: jinja - source: salt://sensoroni/files/analyzers + - show_changes: False sensoroni_sbin: file.recurse: diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 4134d8b77..e19e3eb14 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -79,6 +79,7 @@ socmotd: - group: 939 - mode: 600 - template: jinja + - show_changes: False filedetectionsbackup: file.managed: @@ -249,6 +250,7 @@ socore_own_custom_repos: - recurse: - user - group + - show_changes: False {% else %} From 75e3bba9f57a92cc07ab3b8607ce66dd20387fa5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 4 Mar 2025 11:35:22 -0500 Subject: [PATCH 098/120] reduce stdout --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5c4da25ba..fffa1a932 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -758,9 +758,9 @@ copy_salt_master_config() { #logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service" fi info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" - logCmd "cp -Rv $temp_install_dir/pillar/ $local_salt_dir/" + logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/" if [ -d "$temp_install_dir"/salt ] ; then - logCmd "cp -Rv $temp_install_dir/salt/ $local_salt_dir/" + logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/" fi # Restart the service so it picks up the changes @@ -2107,8 +2107,8 @@ setup_salt_master_dirs() { logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat" else - logCmd "cp -Rv ../pillar/* $default_salt_dir/pillar/" - logCmd "cp -Rv ../salt/* $default_salt_dir/salt/" + logCmd "cp -R ../pillar/* $default_salt_dir/pillar/" + logCmd "cp -R ../salt/* $default_salt_dir/salt/" logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel" logCmd "touch $local_salt_dir/salt/zeek/policy/intel/intel.dat" fi From 124bf266b52b6921f8d7881bc3b9b322a2f329e3 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 4 Mar 2025 12:27:04 -0600 Subject: [PATCH 099/120] osquery v1.15.0 index templates updates Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 84 +++++++++++++++++-- salt/elasticsearch/soc_elasticsearch.yaml | 4 +- .../component/elastic-agent/logs@custom.json | 9 ++ .../elastic-agent/metrics@custom.json | 4 +- 4 files changed, 90 insertions(+), 11 deletions(-) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs@custom.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index c3957361a..3cbd69261 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2659,7 +2659,7 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-osquery-manager-action_x_responses: + so-logs-osquery_manager_x_action_x_responses: index_sorting: false index_template: _meta: @@ -2667,17 +2667,51 @@ elasticsearch: managed_by: security_onion package: name: elastic_agent + data_stream: + allow_custom_routing: false + hidden: false composed_of: - - logs-osquery_manager.action.responses - ignore_missing_component_templates: [] + - logs-osquery_manager.action.responses@package + - logs-osquery_manager.action.responses@custom + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + ignore_missing_component_templates: + - logs-osquery_manager.action.responses@custom index_patterns: - - .logs-osquery_manager.action.responses* + - logs-osquery_manager.action.responses* priority: 501 template: settings: index: + lifecycle: + name: so-logs-osquery_manager.action.responses-logs number_of_replicas: 0 - so-logs-osquery-manager-actions: + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-osquery_manager_x_result: index_sorting: false index_template: _meta: @@ -2685,16 +2719,50 @@ elasticsearch: managed_by: security_onion package: name: elastic_agent + data_stream: + allow_custom_routing: false + hidden: false composed_of: - - logs-osquery_manager.actions - ignore_missing_component_templates: [] + - logs-osquery_manager.result@package + - logs-osquery_manager.result@custom + - so-fleet_integrations.ip_mappings-1 + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + ignore_missing_component_templates: + - logs-osquery_manager.result@custom index_patterns: - - .logs-osquery_manager.actions* + - logs-osquery_manager.result* priority: 501 template: settings: index: + lifecycle: + name: so-logs-osquery_manager.result-logs number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-soc: close: 30 delete: 365 diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 47013e48f..fe6c0c21e 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -368,8 +368,8 @@ elasticsearch: so-logs-detections_x_alerts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings - so-logs-osquery-manager-actions: *indexSettings - so-logs-osquery-manager-action_x_responses: *indexSettings + so-logs-osquery_manager_x_action_x_responses: *indexSettings + so-logs-osquery_manager_x_result: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings so-logs-elastic_agent_x_auditbeat: *indexSettings so-logs-elastic_agent_x_cloudbeat: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs@custom.json new file mode 100644 index 000000000..61a69003f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs@custom.json @@ -0,0 +1,9 @@ +{ + "template": { + "settings": { + "index": { + "number_of_replicas": "0" + } + } + } +} \ No newline at end of file diff --git a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json index 5b459147b..61a69003f 100644 --- a/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json +++ b/salt/elasticsearch/templates/component/elastic-agent/metrics@custom.json @@ -1,7 +1,9 @@ { "template": { "settings": { - "number_of_replicas": 0 + "index": { + "number_of_replicas": "0" + } } } } \ No newline at end of file From 11dc004811727fe2c287ad060591512201fda973 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Tue, 4 Mar 2025 14:24:38 -0600 Subject: [PATCH 100/120] ES 8.17.3 --- .../files/integrations/grid-nodes_general/import-evtx-logs.json | 2 +- salt/elasticsearch/defaults.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json index bb79891b6..46717f3e1 100644 --- a/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json @@ -20,7 +20,7 @@ ], "data_stream.dataset": "import", "custom": "", - "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.66.1\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.4.1\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.66.1\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.66.1\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.4.1\n- add_fields:\n target: data_stream\n fields:\n dataset: import", + "processors": "- dissect:\n tokenizer: \"/nsm/import/%{import.id}/evtx/%{import.file}\"\n field: \"log.file.path\"\n target_prefix: \"\"\n- decode_json_fields:\n fields: [\"message\"]\n target: \"\"\n- drop_fields:\n fields: [\"host\"]\n ignore_missing: true\n- add_fields:\n target: data_stream\n fields:\n type: logs\n dataset: system.security\n- add_fields:\n target: event\n fields:\n dataset: system.security\n module: system\n imported: true\n- add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.security-1.67.0\n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-Sysmon/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.sysmon_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.sysmon_operational\n module: windows\n imported: true\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.sysmon_operational-2.5.0\n- if:\n equals:\n winlog.channel: 'Application'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.application\n - add_fields:\n target: event\n fields:\n dataset: system.application\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.application-1.67.0\n- if:\n equals:\n winlog.channel: 'System'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: system.system\n - add_fields:\n target: event\n fields:\n dataset: system.system\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-system.system-1.67.0\n \n- if:\n equals:\n winlog.channel: 'Microsoft-Windows-PowerShell/Operational'\n then: \n - add_fields:\n target: data_stream\n fields:\n dataset: windows.powershell_operational\n - add_fields:\n target: event\n fields:\n dataset: windows.powershell_operational\n module: windows\n - add_fields:\n target: \"@metadata\"\n fields:\n pipeline: logs-windows.powershell_operational-2.5.0\n- add_fields:\n target: data_stream\n fields:\n dataset: import", "tags": [ "import" ] diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 3cbd69261..a12bb5ac9 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -1,6 +1,6 @@ elasticsearch: enabled: false - version: 8.17.2 + version: 8.17.3 index_clean: true config: action: From c6c67f4d06f1c9922e3dead684696de7b8b9d673 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Wed, 5 Mar 2025 06:31:16 -0500 Subject: [PATCH 101/120] FEATURE: Add sankey chart to Elastic Agent API dashboard to show relationship between process.name and process.Ext.api.name #14339 --- salt/soc/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index 962d1096b..baaa9d8f7 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1900,7 +1900,7 @@ soc: query: 'event.module:endpoint | groupby event.dataset | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name' - name: Elastic Agent API Events description: API (Application Programming Interface) events from Elastic Agents - query: 'event.dataset:endpoint.events.api | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby process.Ext.api.name' + query: 'event.dataset:endpoint.events.api | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby -sankey process.name process.Ext.api.name | groupby process.Ext.api.name' - name: Elastic Agent File Events description: File events from Elastic Agents query: 'event.dataset:endpoint.events.file | groupby host.name | groupby -sankey host.name user.name | groupby user.name | groupby -sankey user.name process.name | groupby process.name | groupby event.action | groupby file.path' From 21a64b6c1d00be81c4194c7e64c4e7b0ee3ff517 Mon Sep 17 00:00:00 2001 From: Corey Ogburn Date: Wed, 5 Mar 2025 09:43:21 -0700 Subject: [PATCH 102/120] Add Client Parameter Add groupItemsPerPage so detections groupby tables have proper default value for page size. --- salt/soc/defaults.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index baaa9d8f7..5a8ec840c 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -2337,6 +2337,7 @@ soc: eventFetchLimit: 500 eventItemsPerPage: 50 groupFetchLimit: 50 + groupItemsPerPage: 10 mostRecentlyUsedLimit: 5 safeStringMaxLength: 100 queryBaseFilter: '_index:"*:so-detection" AND so_kind:detection' From cf536469e68de10fbe6627873f3944a6615a58b4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:51:56 -0500 Subject: [PATCH 103/120] Some things I thought were bools are not bools --- salt/elastalert/soc_elastalert.yaml | 1 - .../soc_elastic-fleet-package-registry.yaml | 2 -- salt/elasticagent/soc_elasticagent.yaml | 1 - salt/sensoroni/soc_sensoroni.yaml | 1 - 4 files changed, 5 deletions(-) diff --git a/salt/elastalert/soc_elastalert.yaml b/salt/elastalert/soc_elastalert.yaml index 2ce04307b..764ec87fc 100644 --- a/salt/elastalert/soc_elastalert.yaml +++ b/salt/elastalert/soc_elastalert.yaml @@ -1,6 +1,5 @@ elastalert: enabled: - forcedType: bool description: Enables or disables the ElastAlert 2 process. This process is critical for ensuring alerts arrive in SOC, and for outbound notification delivery. helpLink: elastalert.html alerter_parameters: diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 4a544fbc6..18645490d 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,5 +1,3 @@ elastic_fleet_package_registry: - enabled: - forcedType: bool description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True diff --git a/salt/elasticagent/soc_elasticagent.yaml b/salt/elasticagent/soc_elasticagent.yaml index 4632ae946..a24ac1985 100644 --- a/salt/elasticagent/soc_elasticagent.yaml +++ b/salt/elasticagent/soc_elasticagent.yaml @@ -1,5 +1,4 @@ elasticagent: enabled: - forcedType: bool description: Enables or disables the Elastic Agent process. This process must remain enabled to allow collection of node events. advanced: True diff --git a/salt/sensoroni/soc_sensoroni.yaml b/salt/sensoroni/soc_sensoroni.yaml index 325abf326..71a2c779b 100644 --- a/salt/sensoroni/soc_sensoroni.yaml +++ b/salt/sensoroni/soc_sensoroni.yaml @@ -1,6 +1,5 @@ sensoroni: enabled: - forcedType: bool description: Enable or disable the per-node SOC agent process. This process is used for performing node-related jobs and reporting node metrics back to SOC. Disabling this process is unsupported and will result in an improperly functioning grid. advanced: True helpLink: grid.html From 72ffef94335c7a61ee92bfc0a0e9e64491144957 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:52:54 -0500 Subject: [PATCH 104/120] Some things I thought were bools are not bools --- .../soc_elastic-fleet-package-registry.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 18645490d..0624918b9 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,3 +1,4 @@ elastic_fleet_package_registry: + - enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True From 67f9cd39db4f9e4ac58a95b813ba1b048b9a4d72 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:53:29 -0500 Subject: [PATCH 105/120] Some things I thought were bools are not bools --- .../soc_elastic-fleet-package-registry.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml index 0624918b9..3d8a2112b 100644 --- a/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml +++ b/salt/elastic-fleet-package-registry/soc_elastic-fleet-package-registry.yaml @@ -1,4 +1,4 @@ elastic_fleet_package_registry: - - enabled: + enabled: description: Enables or disables the Fleet package registry process. This process must remain enabled to allow Elastic Agent packages to be updated. advanced: True From 945a467ec8c32c905a74ba3c809296887c3706a6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:54:17 -0500 Subject: [PATCH 106/120] Some things I thought were bools are not bools --- salt/elasticfleet/soc_elasticfleet.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elasticfleet/soc_elasticfleet.yaml b/salt/elasticfleet/soc_elasticfleet.yaml index 8ec558d37..7ca59401f 100644 --- a/salt/elasticfleet/soc_elasticfleet.yaml +++ b/salt/elasticfleet/soc_elasticfleet.yaml @@ -3,7 +3,6 @@ elasticfleet: description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents. advanced: True helpLink: elastic-fleet.html - forcedType: bool enable_manager_output: description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers. advanced: True From b01fb733a960944a7af005fa8344880ea0f5b6ff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 14:56:26 -0500 Subject: [PATCH 107/120] Some things I thought were bools are not bools --- salt/soc/soc_soc.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index fef5ce382..b4f724b38 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -505,6 +505,9 @@ soc: - field: query label: Query required: True + - field: showSubtitle + label: Show Query in Dropdown. Must be true or false + regex: ^(true|false)$ queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 0f16b00563397c4a6b86b3951469f673bc6b6242 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 5 Mar 2025 13:57:47 -0600 Subject: [PATCH 108/120] osquery templates --- salt/elasticsearch/defaults.yaml | 46 ++++++++++++++++++++--- salt/elasticsearch/soc_elasticsearch.yaml | 6 ++- 2 files changed, 45 insertions(+), 7 deletions(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index a12bb5ac9..6bd46aa27 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2659,7 +2659,25 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-osquery_manager_x_action_x_responses: + so-logs-osquery-manager-action_x_responses: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.action.responses + ignore_missing_component_templates: [] + index_patterns: + - .logs-osquery_manager.action.responses* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + so-logs-osquery-manager_x_action_x_responses: index_sorting: false index_template: _meta: @@ -2683,9 +2701,9 @@ elasticsearch: priority: 501 template: settings: + lifecycle: + so-logs-osquery-manager.action.responses-logs index: - lifecycle: - name: so-logs-osquery_manager.action.responses-logs number_of_replicas: 0 policy: phases: @@ -2711,7 +2729,25 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-osquery_manager_x_result: + so-logs-osquery-manager-actions: + index_sorting: false + index_template: + _meta: + managed: true + managed_by: security_onion + package: + name: elastic_agent + composed_of: + - logs-osquery_manager.actions + ignore_missing_component_templates: [] + index_patterns: + - .logs-osquery_manager.actions* + priority: 501 + template: + settings: + index: + number_of_replicas: 0 + so-logs-osquery-manager_x_result: index_sorting: false index_template: _meta: @@ -2737,7 +2773,7 @@ elasticsearch: settings: index: lifecycle: - name: so-logs-osquery_manager.result-logs + name: so-logs-osquery-manager.result-logs number_of_replicas: 0 policy: phases: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index fe6c0c21e..ba85cd7b4 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -368,8 +368,10 @@ elasticsearch: so-logs-detections_x_alerts: *indexSettings so-logs-http_endpoint_x_generic: *indexSettings so-logs-httpjson_x_generic: *indexSettings - so-logs-osquery_manager_x_action_x_responses: *indexSettings - so-logs-osquery_manager_x_result: *indexSettings + so-logs-osquery-manager-actions: *indexSettings + so-logs-osquery-manager-action_x_responses: *indexSettings + so-logs-osquery-manager_x_action_x_responses: *indexSettings + so-logs-osquery-manager_x_result: *indexSettings so-logs-elastic_agent_x_apm_server: *indexSettings so-logs-elastic_agent_x_auditbeat: *indexSettings so-logs-elastic_agent_x_cloudbeat: *indexSettings From d2884ef00b09899150eea4ab887cd95214e5e081 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:02:45 -0600 Subject: [PATCH 109/120] typo --- salt/elasticsearch/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 6bd46aa27..02e2f7ccb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2702,7 +2702,8 @@ elasticsearch: template: settings: lifecycle: - so-logs-osquery-manager.action.responses-logs + name: + so-logs-osquery-manager.action.responses-logs index: number_of_replicas: 0 policy: From b51aa56e86b68d9ca9e4cef8429eb9aa847092f6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:15:26 -0500 Subject: [PATCH 110/120] Some things I thought were bools are not bools --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index b4f724b38..42c56ab52 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -506,8 +506,8 @@ soc: label: Query required: True - field: showSubtitle - label: Show Query in Dropdown. Must be true or false - regex: ^(true|false)$ + label: Show Query in Dropdown. + forcedType: bool queryToggleFilters: description: Customize togglable query filters that apply to all queries. Exclusive toggles will invert the filter if toggled off rather than omitting the filter from the query. global: True From 6a5377ceac38fc35222257ceb9fbc1704614e907 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Wed, 5 Mar 2025 14:39:01 -0600 Subject: [PATCH 111/120] bump version --- salt/kibana/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/kibana/defaults.yaml b/salt/kibana/defaults.yaml index a4be3787f..2446821f1 100644 --- a/salt/kibana/defaults.yaml +++ b/salt/kibana/defaults.yaml @@ -22,7 +22,7 @@ kibana: - default - file migrations: - discardCorruptObjects: "8.17.2" + discardCorruptObjects: "8.17.3" telemetry: enabled: False security: From 3021ed5d36f7fce48560042d7111b100d1aa1dd8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:56:26 -0500 Subject: [PATCH 112/120] Add Actions --- salt/soc/soc_soc.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 42c56ab52..480f8c5e7 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -63,6 +63,31 @@ soc: description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" + syntax: json + uiElements: + - field: description + label: Description + - field: icon + label: Icon + - field: links + label: Links + required: True + forcedType: "[]string" + multiline: True + - field: name + label: Name + required: True + - field: target + label: Target + - field: jscall + label: JavaScript Call + - field: category + label: Category + options: + - hunt + - alerts + - dashboards + forcedType: "[]string" eventFields: default: &eventFields description: Event fields mappings are defined by the format ":event.module:event.dataset". For example, to customize which fields show for 'syslog' events originating from 'zeek', find the eventField item in the left panel that looks like ':zeek:syslog'. The 'default' entry is used for all events that do not match an existing mapping defined in the list to the left. From 03ebc2d86e882d7a1ca28c0a7278b9d3e68cec45 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 5 Mar 2025 15:58:10 -0500 Subject: [PATCH 113/120] Add Actions --- salt/soc/soc_soc.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 480f8c5e7..8e6ba42a8 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -65,6 +65,9 @@ soc: forcedType: "[]{}" syntax: json uiElements: + - field: name + label: Name + required: True - field: description label: Description - field: icon @@ -74,9 +77,6 @@ soc: required: True forcedType: "[]string" multiline: True - - field: name - label: Name - required: True - field: target label: Target - field: jscall From cce94d96d1843660fed53f5fbc89721e7d1b939a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 6 Mar 2025 11:14:48 -0500 Subject: [PATCH 114/120] Update soc_elasticsearch.yaml to include note about ILM rollover --- salt/elasticsearch/soc_elasticsearch.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index ba85cd7b4..8420611f2 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -133,7 +133,7 @@ elasticsearch: helpLink: elasticsearch.html cold: min_age: - description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -146,10 +146,11 @@ elasticsearch: helpLink: elasticsearch.html warm: min_age: - description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True + helpLink: elasticsearch.html actions: set_priority: priority: @@ -159,7 +160,7 @@ elasticsearch: helpLink: elasticsearch.html delete: min_age: - description: Minimum age of index. ex. 90d - This determines when the index should be deleted. + description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -288,7 +289,7 @@ elasticsearch: helpLink: elasticsearch.html warm: min_age: - description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. + description: Minimum age of index. ex. 30d - This determines when the index should be moved to the warm tier. Nodes in the warm tier generally don’t need to be as fast as those in the hot tier. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and warm min_age set to 30 then there will be 30 days from index creation to rollover and then an additional 30 days before moving to warm tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -315,7 +316,7 @@ elasticsearch: helpLink: elasticsearch.html cold: min_age: - description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. + description: Minimum age of index. ex. 60d - This determines when the index should be moved to the cold tier. While still searchable, this tier is typically optimized for lower storage costs rather than search speed. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and cold min_age set to 60 then there will be 30 days from index creation to rollover and then an additional 60 days before moving to cold tier. regex: ^[0-9]{1,5}d$ forcedType: string global: True @@ -331,7 +332,7 @@ elasticsearch: helpLink: elasticsearch.html delete: min_age: - description: Minimum age of index. This determines when the index should be deleted. + description: Minimum age of index. ex. 90d - This determines when the index should be deleted. It’s important to note that this is calculated relative to the rollover date (NOT the original creation date of the index). For example, if you have an index that is set to rollover after 30 days and delete min_age set to 90 then there will be 30 days from index creation to rollover and then an additional 90 days before deletion. regex: ^[0-9]{1,5}d$ forcedType: string global: True From bad0031829714e79e571145b9dd735dcfa6e2f38 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 Mar 2025 20:58:23 -0500 Subject: [PATCH 115/120] Update soc_soc.yaml --- salt/soc/soc_soc.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 8e6ba42a8..64248f639 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -60,7 +60,7 @@ soc: - warn - error actions: - description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The action must be defined in JSON object format, and contain a "name" key and "links" key. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. + description: A list of actions a user can take from the SOC UI against a hunt, alert, and other records. The links is a list of URLs, where the most suitable URL in the list will be the selected URL when the user clicks the action. global: True forcedType: "[]{}" syntax: json @@ -517,7 +517,7 @@ soc: description: Number of items to show in the most recently used queries list. Larger values cause default queries to be located further down the list. global: True queries: - description: List of default queries to show in the query list. Each query is represented in JSON object notation, and must include the "name" key and "query" key. + description: List of default queries to show in the query list. global: True forcedType: "[]{}" syntax: json From 14e95f4898ecca5c5c8c404d3b85d9cf109b763f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 6 Mar 2025 21:01:45 -0500 Subject: [PATCH 116/120] Update soc_soc.yaml --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 64248f639..da6d708e7 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -71,7 +71,7 @@ soc: - field: description label: Description - field: icon - label: Icon + label: Icon Example: fa-shuttle-space - field: links label: Links required: True From 3037dc7c38a6ec5ec60005cf960a66beb7a3f7b6 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Fri, 7 Mar 2025 07:13:27 -0500 Subject: [PATCH 117/120] Update soc_soc.yaml to fix previous change --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index da6d708e7..7153c7b5c 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -71,7 +71,7 @@ soc: - field: description label: Description - field: icon - label: Icon Example: fa-shuttle-space + label: Icon (Example - fa-shuttle-space) - field: links label: Links required: True From 2af05b9a23038b5fd6bbef491c336d1294e4dc2d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 7 Mar 2025 08:24:19 -0500 Subject: [PATCH 118/120] switch back to colon for better clarity --- salt/soc/soc_soc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index 7153c7b5c..b0ecfdbc1 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -71,7 +71,7 @@ soc: - field: description label: Description - field: icon - label: Icon (Example - fa-shuttle-space) + label: "Icon (Example: fa-shuttle-space)" - field: links label: Links required: True From 4dd72ad15c54254f6dece22f80faaf6a01ebc6e8 Mon Sep 17 00:00:00 2001 From: reyesj2 <94730068+reyesj2@users.noreply.github.com> Date: Fri, 7 Mar 2025 17:05:13 -0600 Subject: [PATCH 119/120] fix osquery action_data mapping conflict Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com> --- salt/elasticsearch/defaults.yaml | 2 +- .../logs-osquery_manager.result@custom.json | 49 +++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 02e2f7ccb..7b38ed0bb 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2742,7 +2742,7 @@ elasticsearch: - logs-osquery_manager.actions ignore_missing_component_templates: [] index_patterns: - - .logs-osquery_manager.actions* + - .logs-osquery_manager.actions-* priority: 501 template: settings: diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json new file mode 100644 index 000000000..83a68c814 --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-osquery_manager.result@custom.json @@ -0,0 +1,49 @@ +{ + "template": { + "mappings": { + "dynamic_templates": [ + { + "action_data.ecs_mapping": { + "path_match": "action_data.ecs_mapping.*", + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], + "properties": { + "action_data": { + "dynamic": true, + "type": "object", + "properties": { + "ecs_mapping": { + "dynamic": true, + "type": "object" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_query_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } +} \ No newline at end of file From a9484b4ca92a4eb101da53b9d41fc9c389f8c3fe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 11 Mar 2025 12:01:01 -0400 Subject: [PATCH 120/120] 2.4.130 --- DOWNLOAD_AND_VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.4.130-20250311.iso.sig | Bin 0 -> 566 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.4.130-20250311.iso.sig diff --git a/DOWNLOAD_AND_VERIFY_ISO.md b/DOWNLOAD_AND_VERIFY_ISO.md index b619315c8..c84462fd6 100644 --- a/DOWNLOAD_AND_VERIFY_ISO.md +++ b/DOWNLOAD_AND_VERIFY_ISO.md @@ -1,17 +1,17 @@ -### 2.4.120-20250212 ISO image released on 2025/02/12 +### 2.4.130-20250311 ISO image released on 2025/03/11 ### Download and Verify -2.4.120-20250212 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.4.120-20250212.iso +2.4.130-20250311 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.4.130-20250311.iso -MD5: 3FF09F50AB1C9318CF0862DE9816102D -SHA1: 197AFA5A85C5CF95D0289FCD21BED7615FB8DB5C -SHA256: A59D94B09EEB39D8C2B6D0808792EC479B13D96FA7B32C3BEEFB6709C93F6692 +MD5: 4641CA710570CCE18CD7D50653373DC0 +SHA1: 786EF73F7945FDD80126C9AE00BDD29E58743715 +SHA256: 48C7A042F20C46B8087BAE0F971696DADE9F9364D52F416718245C16E7CCB977 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.120-20250212.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.130-20250311.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS @@ -25,22 +25,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2. Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.120-20250212.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.130-20250311.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.4.120-20250212.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.4.130-20250311.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.4.120-20250212.iso.sig securityonion-2.4.120-20250212.iso +gpg --verify securityonion-2.4.130-20250311.iso.sig securityonion-2.4.130-20250311.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 11 Feb 2025 05:26:33 PM EST using RSA key ID FE507013 +gpg: Signature made Mon 10 Mar 2025 06:30:49 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.4.130-20250311.iso.sig b/sigs/securityonion-2.4.130-20250311.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..d9f5c6ed9b569e0861c8d2ae4e6173e1e00c2550 GIT binary patch literal 566 zcmV-60?GY}0y6{v0SEvc79j-41gSkXz6^6dp_W8^5Ma0dP;e6k0%y-?82}0i5PT3| zxBgIY6X)9y0E3)`6`P_jNJ{f~T3h=#&Q zH%706CJj$x8=T8@HO(c6-}f4###qP8cO$Km{m8KzZp?t*_War39}CI5?xYk6i6Wiy z7bte522!FHf;OlljSUhziSOi7W^`^iyGV4JZW8u2zBV7v>PrO--k&($8C;9b<5`dM zW!uCPyK1XTYzDUdQyH*8>j`?iIdQZNQ@5W1qb*Bp9&w7kZIp5?ojqIZXL0{VRRf*4263O=E}GwKxGKKu#%tP3z6g9K=*mG2B7W=kRV)UPHy75pXWa+AO#h#rE|t;4ahOKwWRwT< zb*p=~lG-BhWFzz+WBS75cxRYf-)yT{l%p{tSs8_lLCD3h3sd?S8X(WQ2%e}r!qKX9 z&r_*D(jzwR;D;&*WjO8mJjeX*%{wYWrJn!LM+w68*j!B+|Bf~9oDx1k&qIMiFdrCl z%781)usj*IEq(AJ-U&IeoG36y4Qv-bA74KWvcaBj({W7jvGTFJb;N_}2D~dV`>0_? zanoBhp0TrbVwJpml^tNtr--kjzJ!^SLT}f=nLLG~@FIvSgj64fw798;Y}_#b_5!}P E->Rb!T>t<8 literal 0 HcmV?d00001