diff --git a/salt/elasticsearch/templates/so/so-case-template.json.jinja b/salt/elasticsearch/templates/so/so-case-template.json.jinja index d05cc9852..ca58b02a7 100644 --- a/salt/elasticsearch/templates/so/so-case-template.json.jinja +++ b/salt/elasticsearch/templates/so/so-case-template.json.jinja @@ -36,11 +36,11 @@ "@timestamp": { "type": "date" }, - "kind": { + "so_kind": { "type": "keyword", "ignore_above": 1024 }, - "operation": { + "so_operation": { "type": "keyword", "ignore_above": 1024 }, @@ -48,7 +48,7 @@ "type": "keyword", "ignore_above": 1024 }, - "artifact": { + "so_artifact": { "properties": { "artifactType": { "type": "keyword", @@ -121,7 +121,7 @@ } } }, - "artifactstream": { + "so_artifactstream": { "properties": { "content": { "type": "text" @@ -135,7 +135,7 @@ } } }, - "case": { + "so_case": { "properties": { "assigneeId": { "type": "keyword", @@ -193,7 +193,7 @@ } } }, - "comment": { + "so_comment": { "properties": { "caseId": { "type": "keyword", @@ -211,7 +211,7 @@ } } }, - "related": { + "so_related": { "properties": { "caseId": { "type": "keyword", @@ -220,56 +220,6 @@ "createTime": { "type": "date" }, - "fields": { - "properties": { - "@timestamp": { - "type": "date" - }, - "event": { - "properties": { - "dataset": { - "type": "keyword", - "ignore_above": 1024 - }, - "module": { - "type": "keyword", - "ignore_above": 1024 - }, - "category": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, - "message": { - "type": "text" - }, - "scan":{ - "type":"object", - "dynamic": true, - "properties":{ - "exiftool":{ - "type":"text" - }, - "pe":{ - "properties":{ - "sections":{ - "properties":{ - "entropy":{ - "type": "float" - } - } - } - } - } - } - }, - "tags": { - "type": "keyword", - "ignore_above": 1024 - } - } - }, "userId": { "type": "keyword", "ignore_above": 1024 diff --git a/salt/soc/files/soc/cases.eventfields.json b/salt/soc/files/soc/cases.eventfields.json index 901c34345..d719fb45a 100644 --- a/salt/soc/files/soc/cases.eventfields.json +++ b/salt/soc/files/soc/cases.eventfields.json @@ -1,3 +1,3 @@ { - "default": ["soc_timestamp", "case.title", "case.status", "case.severity", "case.createTime"] + "default": ["soc_timestamp", "so_case.title", "so_case.status", "so_case.severity", "so_case.createTime"] } \ No newline at end of file diff --git a/salt/soc/files/soc/cases.queries.json b/salt/soc/files/soc/cases.queries.json index e08ca51ac..59bd2672f 100644 --- a/salt/soc/files/soc/cases.queries.json +++ b/salt/soc/files/soc/cases.queries.json @@ -1,7 +1,7 @@ [ - { "name": "Open Cases", "query": "NOT case.status:closed AND NOT case.category:template" }, - { "name": "Closed Cases", "query": "case.status:closed AND NOT case.category:template" }, - { "name": "My Open Cases", "query": "NOT case.status:closed AND NOT case.category:template AND case.assigneeId:{myId}" }, - { "name": "My Closed Cases", "query": "case.status:closed AND NOT case.category:template AND case.assigneeId:{myId}" }, - { "name": "Templates", "query": "case.category:template" } + { "name": "Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template" }, + { "name": "Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template" }, + { "name": "My Open Cases", "query": "NOT so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" }, + { "name": "My Closed Cases", "query": "so_case.status:closed AND NOT so_case.category:template AND so_case.assigneeId:{myId}" }, + { "name": "Templates", "query": "so_case.category:template" } ] \ No newline at end of file diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 2d68b2b28..fbb41e1e3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -211,7 +211,7 @@ "viewEnabled": true, "createLink": "/case/create", "eventFields": {{ cases_eventfields | json }}, - "queryBaseFilter": "_index:\"*:so-case\" AND kind:case", + "queryBaseFilter": "_index:\"*:so-case\" AND so_kind:case", "queryToggleFilters": [ ], "queries": {{ cases_queries | json }},