CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-03-23 21:12:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: CSEC_PUBLIC:2.4.3-20230711
Branches Tags
CSEC_PUBLIC:master CSEC_PUBLIC:3/dev CSEC_PUBLIC:reyesj2-361 CSEC_PUBLIC:delta CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3
...
compare: CSEC_PUBLIC:2.4.4-20230728
Branches Tags
CSEC_PUBLIC:3/dev CSEC_PUBLIC:reyesj2-361 CSEC_PUBLIC:delta CSEC_PUBLIC:jertel/wip CSEC_PUBLIC:zeek-websocket CSEC_PUBLIC:quickfixes CSEC_PUBLIC:customulimit CSEC_PUBLIC:ulimits CSEC_PUBLIC:reyesj2-449 CSEC_PUBLIC:reyesj2-15601 CSEC_PUBLIC:zeekload CSEC_PUBLIC:moreja CSEC_PUBLIC:analyzer-cp314-wheels CSEC_PUBLIC:moresoup CSEC_PUBLIC:mreeves/remove-non-oracle9-salt CSEC_PUBLIC:mreeves/remove-non-oracle9-support CSEC_PUBLIC:TOoSmOotH-patch-6 CSEC_PUBLIC:2.4/dev CSEC_PUBLIC:2.4/main CSEC_PUBLIC:patch/2.4.211 CSEC_PUBLIC:TOoSmOotH-patch-5 CSEC_PUBLIC:stenoclean CSEC_PUBLIC:fix/suricatatest CSEC_PUBLIC:bravo CSEC_PUBLIC:kilo CSEC_PUBLIC:foxtrot CSEC_PUBLIC:3/dev-merge-fix CSEC_PUBLIC:2.4.210 CSEC_PUBLIC:TOoSmOotH-patch-2 CSEC_PUBLIC:3/main CSEC_PUBLIC:patch/2.4.201 CSEC_PUBLIC:reyesj2/elastic-statereview CSEC_PUBLIC:2.4/playbooklocalrepo CSEC_PUBLIC:kaffytaffy CSEC_PUBLIC:2.3/main CSEC_PUBLIC:master CSEC_PUBLIC:dev CSEC_PUBLIC:sysusers CSEC_PUBLIC:feature/users
CSEC_PUBLIC:2.4.211-20260312 CSEC_PUBLIC:2.4.210-20260302 CSEC_PUBLIC:2.4.201-20260114 CSEC_PUBLIC:2.4.200-20251216 CSEC_PUBLIC:2.4.190-20251024 CSEC_PUBLIC:2.4.180-20250916 CSEC_PUBLIC:2.4.170-20250812 CSEC_PUBLIC:2.4.160-20250625 CSEC_PUBLIC:2.4.160-20250615 CSEC_PUBLIC:2.4.150-20250522 CSEC_PUBLIC:2.4.150-20250512 CSEC_PUBLIC:2.4.141-20250331 CSEC_PUBLIC:2.4.140-20250324 CSEC_PUBLIC:2.4.130-20250311 CSEC_PUBLIC:2.4.120-20250212 CSEC_PUBLIC:2.4.111-20241217 CSEC_PUBLIC:2.4.110-20241010 CSEC_PUBLIC:2.4.110-20241004 CSEC_PUBLIC:2.4.100-20240903 CSEC_PUBLIC:2.4.100-20240829 CSEC_PUBLIC:2.4.90-20240729 CSEC_PUBLIC:2.4.80-20240624 CSEC_PUBLIC:2.4.80-20240625 CSEC_PUBLIC:2.4.70-20240529 CSEC_PUBLIC:2.3.300-20240401 CSEC_PUBLIC:2.4.60-20240320 CSEC_PUBLIC:2.3.290-20240229 CSEC_PUBLIC:2.4.50-20240220 CSEC_PUBLIC:2.4.40-20240116 CSEC_PUBLIC:2.4.30-20231228 CSEC_PUBLIC:2.4.30-20231219 CSEC_PUBLIC:2.4.30-20231204 CSEC_PUBLIC:2.3.280-20231128 CSEC_PUBLIC:2.4.30-20231121 CSEC_PUBLIC:2.4.30-20231117 CSEC_PUBLIC:2.4.30-20231113 CSEC_PUBLIC:2.4.20-20231012 CSEC_PUBLIC:2.4.20-20231006 CSEC_PUBLIC:2.3.270-1006 CSEC_PUBLIC:2.4.10-202030821 CSEC_PUBLIC:2.4.10-20230815 CSEC_PUBLIC:2.4.5-20230807 CSEC_PUBLIC:2.4.5 CSEC_PUBLIC:2.4.4-20230728 CSEC_PUBLIC:2.4.3-20230711 CSEC_PUBLIC:2.3.260-20230620 CSEC_PUBLIC:2.4.2-20230531 CSEC_PUBLIC:2.3.250-20230519 CSEC_PUBLIC:2.3.240-20220426 CSEC_PUBLIC:2.4.1-20230424 CSEC_PUBLIC:2.3.230-20230417 CSEC_PUBLIC:2.4.0-20230328 CSEC_PUBLIC:2.3.220-20230301 CSEC_PUBLIC:2.3.220-20230224 CSEC_PUBLIC:2.3.210-20230202 CSEC_PUBLIC:2.3.200-20230113 CSEC_PUBLIC:2.3.190-20221207 CSEC_PUBLIC:2.3.190-20221205 CSEC_PUBLIC:2.3.182-20221109 CSEC_PUBLIC:2.3.181-20221021 CSEC_PUBLIC:2.3.180-20221014 CSEC_PUBLIC:2.3.170-20220922 CSEC_PUBLIC:2.3.160-20220829 CSEC_PUBLIC:2.3.150-20220820 CSEC_PUBLIC:2.3.140-20220812 CSEC_PUBLIC:2.3.140-20220719 CSEC_PUBLIC:2.3.140-20220718 CSEC_PUBLIC:2.3.130-20220607 CSEC_PUBLIC:2.3.120 CSEC_PUBLIC:2.3.110-20220407 CSEC_PUBLIC:2.3.110-20220405 CSEC_PUBLIC:2.3.110-20220401 CSEC_PUBLIC:2.3.110-20220309 CSEC_PUBLIC:2.3.100-20220301 CSEC_PUBLIC:2.3.100-20220203 CSEC_PUBLIC:2.3.100-20220202 CSEC_PUBLIC:2.3.100 CSEC_PUBLIC:2.3.91 CSEC_PUBLIC:2.3.90-20211213 CSEC_PUBLIC:2.3.90-20211210 CSEC_PUBLIC:2.3.90-20211206 CSEC_PUBLIC:2.3.90-AIRGAPFIX CSEC_PUBLIC:2.3.90-WAZUH CSEC_PUBLIC:2.3.90 CSEC_PUBLIC:2.3.80 CSEC_PUBLIC:2.3.70-WAZUH CSEC_PUBLIC:2.3.70-GRAFANA CSEC_PUBLIC:2.3.70-CURATOR CSEC_PUBLIC:2.3.70 CSEC_PUBLIC:2.3.61MSEARCH CSEC_PUBLIC:2.3.61STENODOCKER CSEC_PUBLIC:2.3.61 CSEC_PUBLIC:2.3.60CURATORAUTH CSEC_PUBLIC:2.3.60FBPIPELINE CSEC_PUBLIC:2.3.60HEAVYNODE CSEC_PUBLIC:2.3.60ECS CSEC_PUBLIC:2.3.60 CSEC_PUBLIC:2.3.52 CSEC_PUBLIC:2.3.51 CSEC_PUBLIC:2.3.50GRIDFIX CSEC_PUBLIC:2.3.50 CSEC_PUBLIC:2.3.40 CSEC_PUBLIC:2.3.30 CSEC_PUBLIC:2.3.21 CSEC_PUBLIC:2.3.20 CSEC_PUBLIC:2.3.10 CSEC_PUBLIC:2.3.2 CSEC_PUBLIC:2.3.1 CSEC_PUBLIC:2.3.0 CSEC_PUBLIC:2.2.0-rc3 CSEC_PUBLIC:2.1.0-rc2 CSEC_PUBLIC:2.0.1-rc1.1 CSEC_PUBLIC:2.0.1-rc1 CSEC_PUBLIC:2.0.0-rc1 CSEC_PUBLIC:1.4.1 CSEC_PUBLIC:1.4.0 CSEC_PUBLIC:1.3.0 CSEC_PUBLIC:1.2.1-1 CSEC_PUBLIC:1.2.1 CSEC_PUBLIC:1.1.4 CSEC_PUBLIC:1.1.3 CSEC_PUBLIC:1.0.4 CSEC_PUBLIC:v1.0.3

276 Commits
2.4.3-2023 ... 2.4.4-2023

Author SHA1 Message Date
Mike Reeves
bee429fe29 Merge pull request #10868 from Security-Onion-Solutions/2.4/dev 
2.4.4
 2023-07-28 16:00:45 -04:00
Mike Reeves
ed21b94c28 Merge pull request #10867 from Security-Onion-Solutions/2.4.4 
2.4.4
 2023-07-28 14:53:23 -04:00
Mike Reeves
2a282a29c3 2.4.4 2023-07-28 14:49:50 -04:00
Mike Reeves
bc09b418ca Merge pull request #10866 from Security-Onion-Solutions/rockyepel 
Rockyepel
 2023-07-28 14:06:36 -04:00
m0duspwnens
6f6db61a69 remove epel-next 2023-07-28 14:04:27 -04:00
m0duspwnens
9fce80dba3 install epel-next after epel-release 2023-07-28 14:01:14 -04:00
Mike Reeves
abfec85e28 Merge pull request #10863 from Security-Onion-Solutions/TOoSmOotH-patch-3 
Update so-functions
 2023-07-28 12:21:20 -04:00
Mike Reeves
9aa655365b Update so-functions 2023-07-28 12:20:15 -04:00
Mike Reeves
9a3760951a Merge pull request #10861 from Security-Onion-Solutions/TOoSmOotH-patch-2 
Update so-functions
 2023-07-28 11:35:49 -04:00
Mike Reeves
0bb5db2e72 Update so-functions 2023-07-28 11:34:30 -04:00
Mike Reeves
2dbc7d8485 Merge pull request #10859 from Security-Onion-Solutions/ordesk 
Ordesk
 2023-07-28 10:56:15 -04:00
Mike Reeves
858e884ec2 Fix Desktop ISO install 2023-07-28 10:52:37 -04:00
Mike Reeves
4672eeb99b Fix Desktop ISO install 2023-07-28 10:51:45 -04:00
Mike Reeves
aa824e7b6c Merge pull request #10857 from Security-Onion-Solutions/ordesk 
Oracle Desktop
 2023-07-28 09:58:46 -04:00
Mike Reeves
bb2a1b9521 Fix Desktop ISO install 2023-07-28 09:46:27 -04:00
Mike Reeves
a1fa87c150 Merge pull request #10853 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Don't restart suricata if it doesn't exist
 2023-07-27 16:38:45 -04:00
Mike Reeves
0c553633b1 Don't restart suricata if it doesn't exist 2023-07-27 16:16:46 -04:00
Josh Patterson
f9850025ea Merge pull request #10852 from Security-Onion-Solutions/2.4/debian 
2.4/debian
 2023-07-27 15:05:23 -04:00
Mike Reeves
65b76d72ca Merge pull request #10850 from Security-Onion-Solutions/ordesk 
Fix packages for desktop
 2023-07-27 14:44:44 -04:00
Mike Reeves
afca15f444 Fix packages for desktop 2023-07-27 14:17:43 -04:00
Mike Reeves
65b9843f14 Fix packages for desktop 2023-07-27 14:11:53 -04:00
m0duspwnens
653e2d8205 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/debian 2023-07-27 10:26:12 -04:00
Josh Patterson
bbaf6df914 Merge pull request #10849 from Security-Onion-Solutions/iptables 
Iptables
 2023-07-27 10:00:46 -04:00
m0duspwnens
bc182c1c43 only run firewalld states if os_family is RedHat 2023-07-27 09:24:41 -04:00
m0duspwnens
fe9b934af6 Merge remote-tracking branch 'origin/2.4/dev' into iptables 2023-07-26 16:32:03 -04:00
m0duspwnens
373298430b only run iptables-restore if config file is valid 2023-07-26 16:31:22 -04:00
Mike Reeves
4a18eb02f3 Merge pull request #10847 from Security-Onion-Solutions/ordesk 
SO Desktop
 2023-07-26 15:53:40 -04:00
m0duspwnens
0aab3e185e dont manage interfaces listed in /etc/network/interfaces for debian 2023-07-26 15:16:44 -04:00
Josh Brower
b1fb05dd28 Merge pull request #10841 from Security-Onion-Solutions/2.4/eqlfields 
Fix formatting
 2023-07-26 11:25:20 -04:00
Josh Brower
9437a47946 Fix formatting 2023-07-26 10:54:24 -04:00
Josh Brower
bdf4f6190d Merge pull request #10829 from Security-Onion-Solutions/2.4/heavynoderedux 
Heavy Node fixes
 2023-07-26 10:41:42 -04:00
Josh Brower
f24a3a51ce Heavy Node fixes 2023-07-25 18:28:41 -04:00
m0duspwnens
ba6043392c reorder whiptail text 2023-07-25 16:18:01 -04:00
m0duspwnens
60eb1611ea upgrade packages for debian and reboot prior to so installation 2023-07-25 16:06:38 -04:00
Josh Brower
3ef6ea9155 Merge pull request #10826 from Security-Onion-Solutions/2.4/navfix 
Upgrade Nav
 2023-07-25 12:26:07 -04:00
Josh Brower
2b38bc778d Upgrade Nav 2023-07-25 12:24:23 -04:00
m0duspwnens
e334d44c95 need quotes for logCmd 2023-07-25 11:03:10 -04:00
m0duspwnens
39662ccf14 import rpm logic change 2023-07-25 10:21:44 -04:00
m0duspwnens
fd69d1c714 remove quotes so sed will work in logCmd 2023-07-25 09:59:02 -04:00
m0duspwnens
63eebdf6ac installer_prereq_packages is run for debian during detect_os so not needed again 2023-07-25 09:58:26 -04:00
Josh Brower
e19845e41d Merge pull request #10819 from Security-Onion-Solutions/fix/elasticsearch_endpoint 
Add endpoint to defaults
 2023-07-25 09:11:06 -04:00
Josh Patterson
c1190064ad Merge pull request #10823 from Security-Onion-Solutions/2.4/dockerips 
2.4/dockerips
 2023-07-25 08:39:49 -04:00
Josh Brower
4f94d953c9 Merge remote-tracking branch 'origin/2.4/dev' into fix/elasticsearch_endpoint 2023-07-25 07:42:59 -04:00
Josh Brower
71a83c1fe9 Merge pull request #10815 from Security-Onion-Solutions/2.4/SigmaMappings 
2.4/sigma mappings
 2023-07-25 07:23:25 -04:00
Wes
5553be02ac Change how tags are added 2023-07-24 21:31:28 +00:00
m0duspwnens
b20fad2839 add missing do 2023-07-24 17:08:01 -04:00
m0duspwnens
16edca7834 fix failed copy paste 2023-07-24 17:06:49 -04:00
m0duspwnens
2545f9907f dont allow 172.17.0.0/24 for custom dockernet 2023-07-24 17:00:20 -04:00
Wes
4efc951eaf Add tags 2023-07-24 20:57:39 +00:00
Doug Burks
d75191d679 Merge pull request #10820 from Security-Onion-Solutions/dougburks-patch-1 
Update README.md
 2023-07-24 15:35:34 -04:00
Doug Burks
ee667a48c9 Update README.md 2023-07-24 15:33:50 -04:00
Josh Brower
067a83a87c Merge pull request #10818 from Security-Onion-Solutions/2.4/fixnavigator 
Update & Fix Navigator
 2023-07-24 15:13:09 -04:00
Wes
d84dbf9535 Add fleet 2023-07-24 18:53:52 +00:00
m0duspwnens
d71254ad29 only add custom docker net to pillar 2023-07-24 14:47:14 -04:00
Wes
de7b7ff989 Add endpoint 2023-07-24 18:35:02 +00:00
Josh Brower
510900e640 Update & Fix Navigator 2023-07-24 13:56:22 -04:00
m0duspwnens
00483018ca change docker bip to gateway 2023-07-24 13:38:14 -04:00
Mike Reeves
9416a14971 Merge pull request #10816 from Security-Onion-Solutions/gpgoracle 
add oracle key
 2023-07-24 11:02:10 -04:00
Mike Reeves
c9faa1a340 Add gui 2023-07-24 11:00:26 -04:00
m0duspwnens
9bda01bd29 change ranges 2023-07-24 10:40:23 -04:00
Josh Brower
eead0c42d4 Merge remote-tracking branch 'origin/2.4/dev' into 2.4/SigmaMappings 2023-07-24 09:27:14 -04:00
Josh Brower
741e6039c1 Cleanup for Sigma Rules 2023-07-24 09:25:58 -04:00
m0duspwnens
db09b465bd change default docker net/range 2023-07-24 09:23:13 -04:00
Doug Burks
a59f2ded38 Merge pull request #10813 from Security-Onion-Solutions/2.4/fix-packages-sls 
Update packages.sls
 2023-07-24 08:08:11 -04:00
Doug Burks
e2fe04dadc Update packages.sls 2023-07-24 07:10:48 -04:00
Doug Burks
563bf2ff3a Merge pull request #10812 from Security-Onion-Solutions/fuse 
Update packages.sls
 2023-07-24 06:48:47 -04:00
Mike Reeves
07eeb4e2a0 Update packages.sls 2023-07-23 21:07:19 -04:00
Mike Reeves
5dc5b99b05 Add gui 2023-07-21 18:00:01 -04:00
Mike Reeves
ba69c67dc2 Add gui 2023-07-21 17:30:17 -04:00
Mike Reeves
d1d5f8a2b6 Add gui 2023-07-21 17:28:09 -04:00
Mike Reeves
48324911ce Add gui 2023-07-21 17:18:03 -04:00
m0duspwnens
4b0126a2e7 fix split 2023-07-21 17:10:51 -04:00
Mike Reeves
8a3c2e7242 Add gui 2023-07-21 17:06:38 -04:00
m0duspwnens
f55c1a4078 DOCKERBIP change 2023-07-21 16:59:22 -04:00
m0duspwnens
c4d81a249a remove /24 from DOCKERBIP 2023-07-21 16:36:03 -04:00
m0duspwnens
4c9d172721 sorange to range 2023-07-21 16:21:18 -04:00
m0duspwnens
36a936d3d6 docker ips changes 2023-07-21 16:06:52 -04:00
coreyogburn
d6164446c6 Merge pull request #10809 from Security-Onion-Solutions/cogburn/8655 
Added ReverseLookup Option
 2023-07-21 13:38:38 -06:00
Corey Ogburn
bb7a918a16 Added ReverseLookup Option 
Defaults to false, has metadata to show up in the config section of soc.
 2023-07-21 13:18:08 -06:00
weslambert
be254b15f2 Merge pull request #10804 from Security-Onion-Solutions/fix/fleet_logging 
Fleet logging
 2023-07-20 15:51:56 -04:00
weslambert
83e1e3efdc Merge pull request #10788 from Security-Onion-Solutions/fix/elastic_mappings 
Fix user name mapping and remove security subfield
 2023-07-20 15:51:42 -04:00
Mike Reeves
7c48f9d6ec Merge pull request #10806 from Security-Onion-Solutions/newrhel 
For Phil
 2023-07-20 14:41:05 -04:00
Mike Reeves
f2947de0ca Add epel-next 2023-07-20 12:13:36 -04:00
Wes
d07c46f27e Change playbook and sysmon 2023-07-20 16:08:50 +00:00
Mike Reeves
47e418a441 Add epel-next 2023-07-20 12:07:26 -04:00
Mike Reeves
87b1207ac0 Merge pull request #10805 from Security-Onion-Solutions/alma 
Test Alma
 2023-07-20 10:57:19 -04:00
Mike Reeves
a86cbaa6fa Merge pull request #10803 from Security-Onion-Solutions/TOoSmOotH-patch-1 
Update needs_restarting.py
 2023-07-20 10:55:11 -04:00
Wes
c68cd6cf33 Fix typo 2023-07-20 14:39:35 +00:00
Josh Patterson
3071a1de41 Update map.jinja 2023-07-20 08:42:27 -04:00
Josh Patterson
e75d0c8094 Update needs_restarting.py 2023-07-20 08:36:27 -04:00
Mike Reeves
14c685ab10 Update needs_restarting.py 2023-07-20 08:32:19 -04:00
Mike Reeves
54082858dc Update needs_restarting.py 2023-07-20 08:25:13 -04:00
Wes
4b7e7978ef Add final pipeline 2023-07-19 19:56:54 +00:00
Josh Patterson
066de70638 Merge pull request #10799 from Security-Onion-Solutions/2.4/mysql 
whiptails for ubuntu focal
 2023-07-19 15:55:32 -04:00
m0duspwnens
19c6796927 only allow existing deployment for focal 2023-07-19 15:38:18 -04:00
m0duspwnens
77c9b4fb54 remove OTHER 2023-07-19 15:35:28 -04:00
m0duspwnens
3104137190 install type whiptail for focal 2023-07-19 15:31:09 -04:00
Josh Patterson
c8b65ecca0 Merge pull request #10798 from Security-Onion-Solutions/2.4/mysql 
2.4/mysql
 2023-07-19 14:55:35 -04:00
Mike Reeves
555c881235 Test Alma 2023-07-19 14:48:12 -04:00
m0duspwnens
0ac9a1f9cc Merge remote-tracking branch 'origin/2.4/dev' into 2.4/mysql 2023-07-19 14:41:03 -04:00
m0duspwnens
3c0554a42c queue states during so-playbook-reset 2023-07-19 14:40:29 -04:00
Wes
0b19179630 Add logrotate 2023-07-19 15:17:42 +00:00
Wes
30a14f8aaf Add logging 2023-07-19 15:00:20 +00:00
Wes
877fc36013 Add log dir 2023-07-19 14:57:24 +00:00
Mike Reeves
a892adb66f Merge pull request #10668 from Security-Onion-Solutions/centos 
CentOS Stream Support
 2023-07-19 10:41:38 -04:00
Mike Reeves
a49b05661d Merge pull request #10794 from Security-Onion-Solutions/2.4/mysql 
2.4/mysql
 2023-07-19 10:40:37 -04:00
Jason Ertel
266fc4e866 Merge pull request #10792 from Security-Onion-Solutions/regup 
upgrade registry version
 2023-07-19 10:00:40 -04:00
Wes
b738325880 Remove keyword 2023-07-19 13:55:12 +00:00
m0duspwnens
ad7821391d Merge remote-tracking branch 'origin/2.4/dev' into 2.4/mysql 2023-07-19 09:54:54 -04:00
m0duspwnens
1b0c146b54 get rid of mysql error: mbind: Operation not permitted 2023-07-19 09:54:00 -04:00
Wes
1848a835f5 Remove keyword 2023-07-19 13:52:15 +00:00
Jason Ertel
23cc75c68d upgrade registry version 2023-07-19 09:51:07 -04:00
weslambert
17fcf12608 Merge pull request #10791 from Security-Onion-Solutions/fix/elastic_clear 
Set delete for interactive
 2023-07-19 08:27:00 -04:00
Wes
6a8737e9a2 Set delete for interactive 2023-07-19 12:21:47 +00:00
m0duspwnens
9543058a2c Merge remote-tracking branch 'origin/2.4/dev' into 2.4/mysql 2023-07-18 16:51:52 -04:00
m0duspwnens
b66cd82110 fix depreciations 2023-07-18 16:50:34 -04:00
weslambert
41ebb403ca Merge pull request #10787 from Security-Onion-Solutions/fix/elastic_clear 
Use new agent scripts for Elastic clear command
 2023-07-18 16:15:27 -04:00
Mike Reeves
c94436fcbd fix other OS installs 2023-07-18 15:19:10 -04:00
Wes
a59eda319e Remove security subfield 2023-07-18 19:00:50 +00:00
Wes
8a76975d8c Use new agent scripts 2023-07-18 18:43:57 +00:00
Mike Reeves
737da45e7f fix other OS installs 2023-07-18 14:02:13 -04:00
m0duspwnens
df1bf8e67b restart mysql container if config or pass changes 2023-07-18 13:41:26 -04:00
Mike Reeves
f95757c551 fix other OS installs 2023-07-18 11:58:49 -04:00
Mike Reeves
5e46138961 fix other OS installs 2023-07-18 11:55:51 -04:00
Mike Reeves
dc8aa4d923 fix other OS installs 2023-07-18 11:53:55 -04:00
Wes
1d3e39b6bd Map user name to keyword and remove security subfield generation 2023-07-18 14:46:47 +00:00
Mike Reeves
9ad7303cf2 fix other OS installs 2023-07-17 16:44:55 -04:00
Mike Reeves
b1daa22dfc fix other OS installs 2023-07-17 16:40:35 -04:00
Mike Reeves
49c4edbcbe fix other OS installs 2023-07-17 16:33:47 -04:00
Mike Reeves
f4c3103f84 fix other OS installs 2023-07-17 16:24:51 -04:00
Mike Reeves
a2aea5530b Merge pull request #10779 from Security-Onion-Solutions/palletethings 
Palletethings
 2023-07-17 16:20:44 -04:00
Mike Reeves
01234f87f9 fix other OS installs 2023-07-17 16:20:32 -04:00
m0duspwnens
5d4186ac07 different whiptail warning if ubuntu 20.04 2023-07-17 15:56:29 -04:00
m0duspwnens
425ca35a22 Merge remote-tracking branch 'origin/centos' into palletethings 2023-07-17 13:58:00 -04:00
m0duspwnens
fe5ca3a0c8 set palette after detecting os and before whiptail 2023-07-17 13:51:14 -04:00
Mike Reeves
7fad710ca1 fix other OS installs 2023-07-17 13:51:01 -04:00
Mike Reeves
8d6c2600c9 fix other OS installs 2023-07-17 13:49:08 -04:00
Mike Reeves
38c7ea0801 fix other OS installs 2023-07-17 13:44:02 -04:00
Mike Reeves
abe0a9ec27 fix other OS installs 2023-07-17 11:03:28 -04:00
Mike Reeves
f0f8513370 fix other OS installs 2023-07-17 11:02:34 -04:00
Mike Reeves
bffd24e0d5 fix other OS installs 2023-07-17 10:55:04 -04:00
Mike Reeves
71cbab8fcc fix other OS installs 2023-07-17 10:47:24 -04:00
weslambert
6816d06710 Merge pull request #10766 from Security-Onion-Solutions/fix/elastic-agent-scripts 
Add agent scripts
 2023-07-17 10:46:54 -04:00
Wes
d19615f743 Fix typo 2023-07-17 14:42:27 +00:00
Mike Reeves
894e009b95 fix other OS installs 2023-07-17 10:34:14 -04:00
Wes
1a4515fc8a Split restart into stop and start 2023-07-17 14:30:51 +00:00
Wes
31696803e1 Use correct name 2023-07-17 14:28:12 +00:00
Wes
e715dfa354 Remove sbin 2023-07-17 14:27:39 +00:00
Wes
c723a09107 Remove agent installer generation script 2023-07-14 21:45:25 +00:00
Wes
8cf3ceeb71 Update agent scripts 2023-07-14 21:43:03 +00:00
Mike Reeves
921fc95668 Fix logic 2023-07-14 14:35:51 -04:00
Doug Burks
9e42fb927d Add RPM-GPG-KEY-oracle 2023-07-14 14:04:36 -04:00
Mike Reeves
87d72e852c Fix logic 2023-07-14 13:45:31 -04:00
m0duspwnens
ba2782c5e7 patch x509_v2.py 2023-07-14 13:22:40 -04:00
Mike Reeves
9169fca9f8 Merge branch '2.4/dev' into centos 2023-07-14 13:17:52 -04:00
Mike Reeves
1028fb1346 Fix ISO install 2023-07-14 13:17:20 -04:00
Josh Brower
6846487909 Merge pull request #10765 from Security-Onion-Solutions/2.4/FleetEnhancements 
Retry install
 2023-07-14 13:07:25 -04:00
Josh Brower
2cc0c4c0ac Automatically Update ES URLs 2023-07-14 12:07:32 -04:00
Mike Reeves
5a5b643155 Fix ISO install 2023-07-14 12:04:30 -04:00
Josh Patterson
e97bec2bc1 Merge pull request #10769 from Security-Onion-Solutions/wtinstalltype 
Wtinstalltype
 2023-07-14 09:22:40 -04:00
Josh Brower
78db64a419 Auto-managed Fleet Server URLs 2023-07-14 08:40:26 -04:00
m0duspwnens
55d32c5b98 merge and fix conflicts 2023-07-14 08:37:03 -04:00
Mike Reeves
333213d1dd Multi OS Support 2023-07-13 18:40:48 -04:00
Mike Reeves
03b16a5582 Multi OS Support 2023-07-13 18:29:02 -04:00
Mike Reeves
20c76abac4 Multi OS Support 2023-07-13 18:27:21 -04:00
m0duspwnens
4158e18675 warn of unsupported os 2023-07-13 16:38:51 -04:00
Mike Reeves
f0c391e801 Multi OS Support 2023-07-13 15:05:51 -04:00
weslambert
922a77ac55 Merge pull request #10762 from Security-Onion-Solutions/fix/integration_elasticsearch 
Allow Elasticsearch integration policy
 2023-07-13 14:42:23 -04:00
weslambert
a62f96595c Merge pull request #10763 from Security-Onion-Solutions/fix/strelka_pe 
Strelka entropy and pe fixes
 2023-07-13 14:42:12 -04:00
Josh Brower
fb8a79e112 Retry install 2023-07-13 13:15:01 -04:00
Mike Reeves
782a3eccfe Initial Oracle support 2023-07-13 11:29:18 -04:00
Mike Reeves
2c996fe7ad Initial Oracle support 2023-07-13 10:54:04 -04:00
weslambert
0c177ec923 Allow Elasticsearch integration policy 2023-07-13 10:46:59 -04:00
Wes
41f00c0aa1 Add agent scripts 2023-07-13 14:32:22 +00:00
Mike Reeves
05b30771c5 Initial Oracle support 2023-07-13 10:29:06 -04:00
Wes
e3249c8e4c Wrap values in quotes for proper conversion 2023-07-13 14:18:57 +00:00
Mike Reeves
a0b6e1076f Initial Oracle support 2023-07-13 10:04:55 -04:00
weslambert
85bb5a327c Fix long vs float for pe version 2023-07-13 09:38:09 -04:00
Mike Reeves
68f5c9965a Initial Oracle support 2023-07-13 09:24:01 -04:00
Mike Reeves
727d0443a2 Merge pull request #10757 from Security-Onion-Solutions/TOoSmOotH-patch-5 
Update VERSION
 2023-07-13 08:53:35 -04:00
Mike Reeves
b915cea52f Initial Oracle support 2023-07-13 08:44:20 -04:00
Mike Reeves
d98a1d5ae5 Initial Oracle support 2023-07-13 08:40:09 -04:00
Josh Brower
6f5bb136ff Merge pull request #10753 from Security-Onion-Solutions/2.4/integrationfixes 
Update Integration JSON
 2023-07-13 07:34:32 -04:00
Mike Reeves
695ec149f1 Initial Oracle support 2023-07-12 15:07:26 -04:00
Mike Reeves
50103aebb3 Initial Oracle support 2023-07-12 14:59:36 -04:00
Mike Reeves
6f81e234cd Initial Oracle support 2023-07-12 14:52:23 -04:00
Mike Reeves
7732435b64 Initial Oracle support 2023-07-12 14:49:59 -04:00
Mike Reeves
2cf36f1e8f Initial Oracle support 2023-07-12 14:12:24 -04:00
Mike Reeves
43d63a3187 Update VERSION 2023-07-12 10:59:12 -04:00
Josh Brower
40294e2762 Update Integration JSON 2023-07-12 08:49:36 -04:00
Mike Reeves
a3f79850fe Initial Oracle support 2023-07-10 20:31:49 -04:00
Mike Reeves
b9204cbe99 Initial RHEL support 2023-07-10 12:57:59 -04:00
Mike Reeves
6f7914f3c4 Initial RHEL support 2023-07-10 10:18:09 -04:00
Mike Reeves
0c9e230294 Initial RHEL support 2023-07-10 10:14:47 -04:00
Mike Reeves
fa1d53a309 Add Debian 2023-07-07 13:00:39 -04:00
Mike Reeves
a41b0dbfea Add Debian 2023-07-07 12:59:41 -04:00
Mike Reeves
d28375b304 Add Debian 2023-07-07 12:54:47 -04:00
Mike Reeves
07c0b539d7 Add Debian 2023-07-07 12:53:23 -04:00
Mike Reeves
d18ebd6e36 Add Debian 2023-07-07 12:52:45 -04:00
Mike Reeves
5a642b151b Add Debian 2023-07-07 12:51:17 -04:00
Mike Reeves
0aa4ea3e87 Add Debian 2023-07-07 12:49:11 -04:00
Mike Reeves
efcef90ead Add Debian 2023-07-07 11:37:33 -04:00
Mike Reeves
af56aa4f16 Add Debian 2023-07-07 11:35:11 -04:00
Mike Reeves
d5257468eb Add Debian 2023-07-07 11:31:18 -04:00
Mike Reeves
a3b0db7949 Add Debian 2023-07-07 11:27:42 -04:00
Mike Reeves
5f509eb2d8 Add Debian 2023-07-07 11:24:59 -04:00
Mike Reeves
a38d561684 Add Debian 2023-07-07 11:21:47 -04:00
Mike Reeves
4b559ec182 Add Debian 2023-07-07 11:19:36 -04:00
Mike Reeves
0b209d69e5 Add Debian 2023-07-07 11:02:26 -04:00
Josh Patterson
11493cb615 Merge pull request #10697 from Security-Onion-Solutions/jppcentos 
Jppcentos
 2023-07-05 09:52:01 -04:00
m0duspwnens
0def41f03c Merge remote-tracking branch 'origin/centos' into jppcentos 2023-07-05 08:44:49 -04:00
Mike Reeves
1c191e426f Add some Ubuntu 2023-07-03 16:20:44 -04:00
m0duspwnens
de98baaad4 Merge remote-tracking branch 'origin/centos' into jppcentos 2023-07-03 15:46:30 -04:00
m0duspwnens
df0e19ff80 update-alternatives for python3.10 2023-07-03 15:44:51 -04:00
Mike Reeves
d22d864ba6 Add some Ubuntu 2023-07-03 15:23:56 -04:00
Mike Reeves
898b352af9 Add some Ubuntu 2023-07-03 15:16:12 -04:00
Mike Reeves
76a8e315b7 Add some Ubuntu 2023-07-03 15:12:56 -04:00
Mike Reeves
edaf695463 Add some Ubuntu 2023-07-03 15:12:55 -04:00
Mike Reeves
53fcac4a02 Add some Ubuntu 2023-07-03 15:12:55 -04:00
Mike Reeves
44054ba95f Add some Ubuntu 2023-07-03 15:12:54 -04:00
Mike Reeves
10aa77977e Add some Ubuntu 2023-07-03 15:12:54 -04:00
Mike Reeves
8e90658856 Add some Ubuntu 2023-07-03 15:12:54 -04:00
Mike Reeves
965d0543f4 Add some Ubuntu 2023-07-03 15:12:53 -04:00
Mike Reeves
e353855855 Add some Ubuntu 2023-07-03 15:12:53 -04:00
Mike Reeves
c54217a8cb Add some Ubuntu 2023-07-03 15:12:52 -04:00
Mike Reeves
710b3bac3d fix repo state 2023-07-03 15:12:52 -04:00
Mike Reeves
8a90579df7 fix repo state 2023-07-03 15:12:51 -04:00
Mike Reeves
39c8766914 fix repo state 2023-07-03 15:12:51 -04:00
Mike Reeves
694ea743cc add more OS logic 2023-07-03 15:12:51 -04:00
Mike Reeves
3d9e7d1e97 add fuse 2023-07-03 15:12:50 -04:00
Mike Reeves
ca71c00f1c add fuse 2023-07-03 15:12:50 -04:00
Mike Reeves
2f2394dca2 add OS logic 2023-07-03 15:12:49 -04:00
Mike Reeves
fee4c20912 add OS logic 2023-07-03 15:12:49 -04:00
Mike Reeves
03342fd477 Add more packages 2023-07-03 15:12:49 -04:00
Mike Reeves
6dbff3b9df Add more packages 2023-07-03 15:12:48 -04:00
Mike Reeves
2f375b89a8 Add more packages 2023-07-03 15:12:48 -04:00
Mike Reeves
f67ac80c56 Add more packages 2023-07-03 15:12:47 -04:00
Mike Reeves
b06a35099f Add more packages 2023-07-03 15:12:47 -04:00
Mike Reeves
087099b9b6 Fix keys 2023-07-03 15:12:47 -04:00
Mike Reeves
04fe2ca996 Fix gpg things 2023-07-03 15:12:46 -04:00
Mike Reeves
bdb5748b44 Fix whiptail logic 2023-07-03 15:12:46 -04:00
Mike Reeves
1cbe5580a6 Fix whiptail logic 2023-07-03 15:12:45 -04:00
Mike Reeves
b57674a7cc Fix syntax error 2023-07-03 15:12:45 -04:00
Mike Reeves
53bd7bcc29 Initial Support 2023-07-03 15:12:45 -04:00
Mike Reeves
6787b97c6a Initial Support 2023-07-03 15:12:44 -04:00
m0duspwnens
0d43f9aaf4 add repo noninteractively 2023-07-03 14:23:24 -04:00
Mike Reeves
40540f47bf Add some Ubuntu 2023-07-03 13:51:01 -04:00
Mike Reeves
24e05c9491 Add some Ubuntu 2023-07-03 13:45:04 -04:00
Mike Reeves
02c9465dfb Add some Ubuntu 2023-07-03 12:30:53 -04:00
Mike Reeves
a4d484ea47 Add some Ubuntu 2023-07-03 12:00:57 -04:00
Mike Reeves
c9d650f4c8 Add some Ubuntu 2023-07-03 11:59:07 -04:00
Mike Reeves
ed1d2d0a8b Add some Ubuntu 2023-07-03 10:06:16 -04:00
Mike Reeves
903de330c2 Add some Ubuntu 2023-07-03 09:49:24 -04:00
Mike Reeves
8621352701 Add some Ubuntu 2023-07-03 09:38:23 -04:00
Mike Reeves
564ab105ba Add some Ubuntu 2023-07-02 09:34:14 -04:00
Mike Reeves
b637e27c8d Merge branch '2.4/dev' of github.com:Security-Onion-Solutions/securityonion into centos 2023-07-02 09:13:06 -04:00
Mike Reeves
34ab949dfc fix repo state 2023-06-29 08:56:38 -04:00
Mike Reeves
59191008a0 fix repo state 2023-06-29 08:55:00 -04:00
Mike Reeves
17a04a75c9 fix repo state 2023-06-29 08:53:00 -04:00
Mike Reeves
884d669ae9 add more OS logic 2023-06-29 08:48:46 -04:00
Mike Reeves
8a88b16b9e add fuse 2023-06-28 16:16:59 -04:00
Mike Reeves
6545ae588d add fuse 2023-06-28 16:10:23 -04:00
Mike Reeves
5ab54fcfc5 add OS logic 2023-06-28 16:02:25 -04:00
Mike Reeves
ae4befe377 add OS logic 2023-06-28 15:57:43 -04:00
Mike Reeves
0c320e3501 Add more packages 2023-06-28 15:46:29 -04:00
Mike Reeves
933f4fa6c8 Add more packages 2023-06-28 15:45:32 -04:00
Mike Reeves
d80c88f613 Add more packages 2023-06-28 15:43:56 -04:00
Mike Reeves
6d2e851a43 Add more packages 2023-06-28 15:36:51 -04:00
Mike Reeves
209aae50bc Add more packages 2023-06-28 15:32:01 -04:00
Mike Reeves
6fc988740d Fix keys 2023-06-28 13:46:25 -04:00
Mike Reeves
387ce22385 Fix gpg things 2023-06-27 13:57:53 -04:00
Mike Reeves
cc3c28135d Fix whiptail logic 2023-06-27 12:53:18 -04:00
Mike Reeves
6b6724afcf Fix whiptail logic 2023-06-27 12:52:53 -04:00
Mike Reeves
c37a179a3c Fix syntax error 2023-06-27 12:46:13 -04:00
Mike Reeves
d519369c6f Initial Support 2023-06-26 19:22:33 -04:00
Mike Reeves
883d9560a0 Initial Support 2023-06-26 19:20:40 -04:00
190 changed files with 6589 additions and 29165 deletions
Expand all files Collapse all files

20
DOWNLOAD_AND_VERIFY_ISO.md
View File

@@ -1,18 +1,18 @@
### 2.4.3-20230711 ISO image built on 2023/07/11
### 2.4.4-20230728 ISO image built on 2023/07/28
### Download and Verify
2.4.3-20230711 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
2.4.4-20230728 ISO image:
https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso
MD5: F481ED39E02A5AF05EB50D319D97A6C7
SHA1: 20F9BAA8F73A44C21A8DFE81F36247BCF33CEDA6
SHA256: D805522E02CD4941641385F6FF86FAAC240DA6C5FD98F78460348632C7C631B0
MD5: F63E76245F3E745B5BDE9E6E647A7CB6
SHA1: 6CE4E4A3399CD282D4F8592FB19D510388AB3EEA
SHA256: BF8FEB91B1D94B67C3D4A79D209B068F4A46FEC7C15EEF65B0FCE9851D7E6C9F
Signature for ISO image:
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig
Signing key:
https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS
@@ -26,17 +26,17 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
Download the signature file for the ISO:
```
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.4-20230728.iso.sig
```
Download the ISO image:
```
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
wget https://download.securityonion.net/file/securityonion/securityonion-2.4.4-20230728.iso
```
Verify the downloaded ISO image using the signature file:
```
gpg --verify securityonion-2.4.3-20230711.iso.sig securityonion-2.4.3-20230711.iso
gpg --verify securityonion-2.4.4-20230728.iso.sig securityonion-2.4.4-20230728.iso
```
The output should show "Good signature" and the Primary key fingerprint should match what's shown below:

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.4 Beta 4
## Security Onion 2.4 Release Candidate 1 (RC1)
Security Onion 2.4 Beta 4 is here!
Security Onion 2.4 Release Candidate 1 (RC1) is here!
## Screenshots

2
VERSION
View File

@@ -1 +1 @@
2.4.3
2.4.4

6
salt/_modules/needs_restarting.py
View File

@@ -3,14 +3,14 @@ import subprocess
def check():
os = __grains__['os']
osfam = __grains__['os_family']
retval = 'False'
if os == 'Ubuntu':
if osfam == 'Debian':
if path.exists('/var/run/reboot-required'):
retval = 'True'
elif os == 'Rocky':
elif osfam == 'RedHat':
cmd = 'needs-restarting -r > /dev/null 2>&1'
try:

6
salt/common/files/daemon.json
View File

@@ -1,13 +1,11 @@
{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
{
"registry-mirrors": [
"https://:5000"
],
"bip": "{{ DOCKERBIND }}",
"bip": "172.17.0.1/24",
"default-address-pools": [
{
"base": "{{ DOCKERRANGE }}",
"base": "172.17.0.0/24",
"size": 24
}
]

5
salt/common/init.sls
View File

@@ -195,7 +195,7 @@ soversionfile:
{% endif %}
{% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
# Install Raid tools
raidpkgs:
pkg.installed:
@@ -217,8 +217,7 @@ so-raid-status:
- month: '*'
- dayweek: '*'
{% endif %}
{% endif %}
{% else %}
{{sls}}_state_not_allowed:

59
salt/common/packages.sls
View File

@@ -1,6 +1,6 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os == 'Ubuntu' %}
{% if GLOBALS.os_family == 'Debian' %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
@@ -14,16 +14,24 @@ commonpkgs:
- software-properties-common
- apt-transport-https
- openssl
- netcat
- netcat-openbsd
- sqlite3
- libssl-dev
- python3-dateutil
- python3-docker
- python3-packaging
- python3-watchdog
- python3-lxml
- git
- rsync
- vim
- tar
- unzip
{% if grains.oscodename != 'focal' %}
- python3-rich
{% endif %}
{% if grains.oscodename == 'focal' %}
# since Ubuntu requires and internet connection we can use pip to install modules
python3-pip:
pkg.installed
@@ -34,34 +42,45 @@ python-rich:
- target: /usr/local/lib/python3.8/dist-packages/
- require:
- pkg: python3-pip
{% endif %}
{% endif %}
{% elif GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os_family == 'RedHat' %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- wget
- jq
- tcpdump
- httpd-tools
- net-tools
- curl
- sqlite
- mariadb-devel
- python3-dnf-plugin-versionlock
- nmap-ncat
- yum-utils
- device-mapper-persistent-data
- lvm2
- openssl
- fuse
- fuse-libs
- fuse-overlayfs
- fuse-common
- fuse3
- fuse3-libs
- git
- httpd-tools
- jq
- lvm2
{% if GLOBALS.os == 'CentOS Stream' %}
- MariaDB-devel
{% else %}
- mariadb-devel
{% endif %}
- net-tools
- nmap-ncat
- openssl
- python3-dnf-plugin-versionlock
- python3-docker
- python3-m2crypto
- rsync
- python3-rich
- python3-pyyaml
- python3-watchdog
- python3-packaging
- python3-pyyaml
- python3-rich
- python3-watchdog
- rsync
- sqlite
- tcpdump
- unzip
- wget
- yum-utils
{% endif %}

38
salt/common/tools/sbin/so-common
View File

@@ -199,19 +199,20 @@ get_random_value() {
}
gpg_rpm_import() {
if [[ "$OS" == "rocky" ]]; then
if [[ $is_oracle ]]; then
if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
local RPMKEYSLOC="../salt/repo/client/files/rocky/keys"
local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
else
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
fi
RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
for RPMKEY in "${RPMKEYS[@]}"; do
RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
for RPMKEY in "${RPMKEYS[@]}"; do
rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY"
done
elif [[ $is_rpm ]]; then
info "Importing the security onion GPG key"
rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
fi
}
@@ -395,19 +396,22 @@ salt_minion_count() {
}
set_cron_service_name() {
if [[ "$OS" == "rocky" ]]; then
cron_service_name="crond"
else
cron_service_name="cron"
fi
}
set_os() {
if [ -f /etc/redhat-release ]; then
OS=rocky
if grep -q "Rocky Linux release 9" /etc/redhat-release; then
OS=rocky
OSVER=9
is_rocky=true
elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
OS=centos
OSVER=9
is_centos=true
fi
cron_service_name="crond"
else
OS=ubuntu
is_ubuntu=true
cron_service_name="cron"
fi
}
@@ -416,7 +420,7 @@ set_minionid() {
}
set_palette() {
if [ "$OS" == ubuntu ]; then
if [[ $is_deb ]]; then
update-alternatives --set newt-palette /etc/newt/palette.original
fi
}

528
salt/desktop/packages.sls
View File

@@ -1,170 +1,280 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
desktop_packages:
pkg.installed:
- pkgs:
- ModemManager
- ModemManager-glib
- NetworkManager
- NetworkManager-adsl
- NetworkManager-bluetooth
- NetworkManager-l2tp-gnome
- NetworkManager-libreswan-gnome
- NetworkManager-openconnect-gnome
- NetworkManager-openvpn-gnome
- NetworkManager-ppp
- NetworkManager-pptp-gnome
- NetworkManager-config-server
- NetworkManager-libnm
- NetworkManager-team
- NetworkManager-tui
- NetworkManager-wifi
- NetworkManager-wwan
- PackageKit
- PackageKit-command-not-found
- PackageKit-glib
- PackageKit-gstreamer-plugin
- aajohan-comfortaa-fonts
- abattis-cantarell-fonts
- acl
- alsa-ucm
- alsa-utils
- anaconda
- anaconda-install-env-deps
- anaconda-live
- at
- attr
- PackageKit-gtk3-module
- audit
- audit-libs
- authselect
- authselect-libs
- avahi
- avahi-glib
- avahi-libs
- baobab
- basesystem
- bash
- bash-completion
- bc
- blktrace
- bcache-tools
- bluez
- bluez-libs
- bluez-obexd
- bolt
- bpftool
- bzip2
- bzip2-libs
- c-ares
- ca-certificates
- cairo
- cairo-gobject
- cairomm
- checkpolicy
- chkconfig
- chrome-gnome-shell
- chromium
- chrony
- cinnamon
- cinnamon-control-center
- cinnamon-screensaver
- cockpit
- coreutils
- cpio
- cronie
- crontabs
- crypto-policies
- crypto-policies-scripts
- cryptsetup
- curl
- cyrus-sasl-plain
- dbus
- clutter
- clutter-gst3
- clutter-gtk
- cogl
- color-filesystem
- colord
- colord-gtk
- colord-libs
- conmon
- cups
- cups-client
- cups-filesystem
- cups-filters
- cups-filters-libs
- cups-ipptool
- cups-libs
- cups-pk-helper
- dconf
- dejavu-sans-fonts
- dejavu-sans-mono-fonts
- dejavu-serif-fonts
- dnf
- dnf-plugins-core
- dos2unix
- dosfstools
- dracut-config-rescue
- dracut-live
- desktop-file-utils
- dsniff
- e2fsprogs
- ed
- efi-filesystem
- efibootmgr
- efivar-libs
- eom
- ethtool
- f36-backgrounds-extras-gnome
- f36-backgrounds-gnome
- f37-backgrounds-extras-gnome
- f37-backgrounds-gnome
- evolution-data-server
- evolution-data-server-langpacks
- file
- filesystem
- firewall-config
- firewalld
- fprintd-pam
- git
- glibc
- glibc-all-langpacks
- flac-libs
- flashrom
- flatpak
- flatpak-libs
- flatpak-selinux
- flatpak-session-helper
- fontconfig
- fonts-filesystem
- foomatic
- foomatic-db
- foomatic-db-filesystem
- foomatic-db-ppds
- freetype
- fuse
- fuse-common
- fuse-libs
- fuse-overlayfs
- fuse3
- fuse3-libs
- fwupd
- fwupd-plugin-flashrom
- gcr
- gcr-base
- gd
- gdbm-libs
- gdisk
- gdk-pixbuf2
- gdk-pixbuf2-modules
- gdm
- gedit
- geoclue2
- geoclue2-libs
- geocode-glib
- gettext
- gettext-libs
- ghostscript
- ghostscript-tools-fonts
- ghostscript-tools-printing
- giflib
- glx-utils
- gmp
- gnome-autoar
- gnome-bluetooth
- gnome-bluetooth-libs
- gnome-calculator
- gnome-characters
- gnome-classic-session
- gnome-color-manager
- gnome-control-center
- gnome-control-center-filesystem
- gnome-desktop3
- gnome-disk-utility
- gnome-font-viewer
- gnome-initial-setup
- gnome-keyring
- gnome-keyring-pam
- gnome-logs
- gnome-menus
- gnome-online-accounts
- gnome-remote-desktop
- gnome-screenshot
- gnome-session
- gnome-session-wayland-session
- gnome-session-xsession
- gnome-settings-daemon
- gnome-shell
- gnome-shell-extension-apps-menu
- gnome-shell-extension-background-logo
- gnome-shell-extension-common
- gnome-shell-extension-desktop-icons
- gnome-shell-extension-launch-new-instance
- gnome-shell-extension-places-menu
- gnome-shell-extension-window-list
- gnome-software
- gnome-system-monitor
- gnome-terminal
- gnupg2
- gnome-terminal-nautilus
- gnome-tour
- gnome-user-docs
- gnome-video-effects
- gobject-introspection
- gom
- google-droid-sans-fonts
- google-noto-cjk-fonts-common
- google-noto-emoji-color-fonts
- google-noto-fonts-common
- google-noto-sans-cjk-ttc-fonts
- google-noto-sans-gurmukhi-fonts
- google-noto-sans-sinhala-vf-fonts
- google-noto-serif-cjk-ttc-fonts
- grub2-common
- grub2-pc-modules
- grub2-tools
- grub2-tools-efi
- grub2-tools-extra
- grub2-tools-minimal
- grubby
- gpgme
- gpm-libs
- graphene
- graphite2
- gsettings-desktop-schemas
- gsm
- gsound
- gspell
- gstreamer1
- gstreamer1-plugins-bad-free
- gstreamer1-plugins-base
- gstreamer1-plugins-good
- gstreamer1-plugins-good-gtk
- gstreamer1-plugins-ugly-free
- gtk-update-icon-cache
- gtk3
- gtk4
- gtkmm30
- gtksourceview4
- gutenprint
- gutenprint-cups
- gutenprint-doc
- gutenprint-libs
- gvfs
- gvfs-client
- gvfs-fuse
- gvfs-goa
- gvfs-gphoto2
- gvfs-mtp
- gvfs-smb
- hostname
- hyperv-daemons
- ibus-anthy
- ibus-hangul
- ibus-libpinyin
- ibus-libzhuyin
- ibus-m17n
- ibus-typing-booster
- imsettings-systemd
- initial-setup-gui
- initscripts
- gzip
- harfbuzz
- harfbuzz-icu
- hdparm
- hicolor-icon-theme
- highcontrast-icon-theme
- hplip-common
- hplip-libs
- hunspell
- hunspell-en
- hunspell-en-GB
- hunspell-en-US
- hunspell-filesystem
- hyphen
- ibus
- ibus-gtk3
- ibus-libs
- ibus-setup
- iio-sensor-proxy
- ima-evm-utils
- inih
- initscripts-rename-device
- iproute
- iproute-tc
- iprutils
- iputils
- irqbalance
- iwl100-firmware
- iwl1000-firmware
- iwl105-firmware
- iwl135-firmware
- iwl2000-firmware
- iwl2030-firmware
- iwl3160-firmware
- iwl5000-firmware
- iwl5150-firmware
- iwl6000g2a-firmware
- iwl6000g2b-firmware
- iwl6050-firmware
- iwl7260-firmware
- initscripts-service
- iso-codes
- jansson
- jbig2dec-libs
- jbigkit-libs
- jomolhari-fonts
- jose
- jq
- json-c
- json-glib
- julietaula-montserrat-fonts
- kbd
- kernel
- kernel-modules
- kernel-modules-extra
- kernel-tools
- kexec-tools
- kbd-misc
- khmer-os-system-fonts
- kmod-kvdo
- kpatch
- kpatch-dnf
- ledmon
- less
- langpacks-core-en
- langpacks-core-font-en
- langpacks-en
- lcms2
- libICE
- libSM
- libX11
- libX11-common
- libX11-xcb
- libXau
- libXcomposite
- libXcursor
- libXdamage
- libXdmcp
- libXext
- libXfixes
- libXfont2
- libXft
- libXi
- libXinerama
- libXmu
- libXpm
- libXrandr
- libXrender
- libXres
- libXt
- libXtst
- libXv
- libXxf86dga
- libXxf86vm
- libappstream-glib
- liberation-fonts-common
- liberation-mono-fonts
- liberation-sans-fonts
- liberation-serif-fonts
- libertas-sd8787-firmware
- libstoragemgmt
- libsysfs
- lightdm
- linux-firmware
- logrotate
- libglvnd-gles
- libglvnd-glx
- libglvnd-opengl
- libgnomekbd
- libgomp
- libgphoto2
- lockdev
- lohit-assamese-fonts
- lohit-bengali-fonts
- lohit-devanagari-fonts
@@ -175,136 +285,158 @@ desktop_packages:
- lohit-telugu-fonts
- lshw
- lsof
- lsscsi
- lvm2
- mailcap
- man-db
- man-pages
- mcelog
- mdadm
- memtest86+
- metacity
- mesa-dri-drivers
- mesa-filesystem
- mesa-libEGL
- mesa-libGL
- mesa-libgbm
- mesa-libglapi
- mesa-libxatracker
- mesa-vulkan-drivers
- microcode_ctl
- mlocate
- mobile-broadband-provider-info
- mpfr
- mpg123-libs
- mtdev
- mtr
- nano
- ncurses
- nemo-fileroller
- nemo-image-converter
- nemo-preview
- nautilus
- nautilus-extensions
- net-tools
- netronome-firmware
- ngrep
- nm-connection-editor
- nmap-ncat
- nvme-cli
- open-vm-tools-desktop
- openssh-clients
- openssh-server
- p11-kit
- paktype-naskh-basic-fonts
- parole
- parted
- passwd
- oracle-backgrounds
- oracle-indexhtml
- oracle-logos
- pcaudiolib
- pciutils
- pinentry
- pinentry-gnome3
- pinfo
- pipewire
- pipewire-alsa
- pipewire-gstreamer
- pipewire-jack-audio-connection-kit
- pipewire-libs
- pipewire-pulseaudio
- pipewire-utils
- pixman
- plymouth
- plymouth-core-libs
- plymouth-graphics-libs
- plymouth-plugin-label
- plymouth-plugin-two-step
- plymouth-scripts
- plymouth-system-theme
- plymouth-theme-spinner
- policycoreutils
- powerline
- ppp
- prefixdevname
- procps-ng
- psacct
- policycoreutils-python-utils
- pt-sans-fonts
- python3-libselinux
- python3-scapy
- qemu-guest-agent
- quota
- realmd
- redshift-gtk
- rocky-backgrounds
- rocky-release
- rootfiles
- rpm
- rpm-plugin-audit
- rsync
- rsyslog
- rsyslog-gnutls
- rsyslog-gssapi
- rsyslog-relp
- salt-minion
- pulseaudio-libs
- pulseaudio-libs-glib2
- pulseaudio-utils
- sane-airscan
- sane-backends
- sane-backends-drivers-cameras
- sane-backends-drivers-scanners
- selinux-policy-targeted
- setroubleshoot
- setup
- sg3_utils
- sg3_utils-libs
- shadow-utils
- sane-backends-libs
- sil-abyssinica-fonts
- sil-nuosu-fonts
- sil-padauk-fonts
- slick-greeter
- slick-greeter-cinnamon
- smartmontools
- smc-meera-fonts
- sos
- snappy
- sound-theme-freedesktop
- soundtouch
- speech-dispatcher
- speech-dispatcher-espeak-ng
- speex
- spice-vdagent
- ssldump
- sssd
- sssd-common
- sssd-kcm
- stix-fonts
- strace
- sudo
- switcheroo-control
- symlinks
- syslinux
- systemd
- systemd-udev
- tar
- system-config-printer-libs
- system-config-printer-udev
- taglib
- tcpdump
- tcpflow
- teamd
- thai-scalable-fonts-common
- thai-scalable-waree-fonts
- time
- tmux
- tmux-powerline
- transmission
- totem
- totem-pl-parser
- totem-video-thumbnailer
- tpm2-tools
- tpm2-tss
- tracer-common
- tracker
- tracker-miners
- tree
- tuned
- twolame-libs
- tzdata
- udisks2
- udisks2-iscsi
- udisks2-lvm2
- unzip
- upower
- urw-base35-bookman-fonts
- urw-base35-c059-fonts
- urw-base35-d050000l-fonts
- urw-base35-fonts
- urw-base35-fonts-common
- urw-base35-gothic-fonts
- urw-base35-nimbus-mono-ps-fonts
- urw-base35-nimbus-roman-fonts
- urw-base35-nimbus-sans-fonts
- urw-base35-p052-fonts
- urw-base35-standard-symbols-ps-fonts
- urw-base35-z003-fonts
- usb_modeswitch
- usb_modeswitch-data
- usbutils
- util-linux
- util-linux-user
- usermode
- userspace-rcu
- vdo
- vim-enhanced
- vim-minimal
- vim-powerline
- virt-what
- wget
- vulkan-loader
- wavpack
- webkit2gtk3
- webkit2gtk3-jsc
- webrtc-audio-processing
- whois
- which
- wireless-regdb
- wireplumber
- wireplumber-libs
- wireshark
- woff2
- words
- wpa_supplicant
- wpebackend-fdo
- xdg-dbus-proxy
- xdg-desktop-portal
- xdg-desktop-portal-gnome
- xdg-desktop-portal-gtk
- xdg-user-dirs
- xdg-user-dirs-gtk
- xed
- xfsdump
- xfsprogs
- xreader
- yum
- xdg-utils
- xkeyboard-config
- xorg-x11-drv-evdev
- xorg-x11-drv-fbdev
- xorg-x11-drv-libinput
- xorg-x11-drv-vmware
- xorg-x11-drv-wacom
- xorg-x11-drv-wacom-serial-support
- xorg-x11-server-Xorg
- xorg-x11-server-Xwayland
- xorg-x11-server-common
- xorg-x11-server-utils
- xorg-x11-utils
- xorg-x11-xauth
- xorg-x11-xinit
- xorg-x11-xinit-session
- zip
{% else %}
desktop_packages_os_fail:
test.fail_without_changes:
- comment: 'SO desktop can only be installed on Rocky'
- comment: 'SO desktop can only be installed on Oracle Linux'
{% endif %}

4
salt/desktop/remove_gui.sls
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
remove_graphical_target:
file.symlink:
@@ -12,6 +12,6 @@ remove_graphical_target:
{% else %}
desktop_trusted-ca_os_fail:
test.fail_without_changes:
- comment: 'SO Desktop can only be installed on Rocky'
- comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %}

2
salt/desktop/trusted-ca.sls
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
{% set global_ca_text = [] %}
{% set global_ca_server = [] %}

4
salt/desktop/xwindows.sls
View File

@@ -1,7 +1,7 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{# we only want this state to run it is CentOS #}
{% if GLOBALS.os == 'Rocky' %}
{% if GLOBALS.os == 'OEL' %}
include:
- desktop.packages
@@ -18,6 +18,6 @@ graphical_target:
desktop_xwindows_os_fail:
test.fail_without_changes:
- comment: 'SO Desktop can only be installed on Rocky'
- comment: 'SO Desktop can only be installed on Oracle Linux'
{% endif %}

8
salt/docker/defaults.yaml
View File

@@ -1,8 +1,6 @@
docker:
bip: '172.17.0.1'
range: '172.17.0.0/24'
sorange: '172.17.1.0/24'
sobip: '172.17.1.1'
range: '172.17.1.0/24'
gateway: '172.17.1.1'
containers:
'so-dockerregistry':
final_octet: 20
@@ -202,4 +200,4 @@ docker:
final_octet: 99
custom_bind_mounts: []
extra_hosts: []
extra_env: []
extra_env: []

2
salt/docker/docker.map.jinja
View File

@@ -1,6 +1,6 @@
{% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
{% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
{% set RANGESPLIT = DOCKER.sorange.split('.') %}
{% set RANGESPLIT = DOCKER.range.split('.') %}
{% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
{% for container, vals in DOCKER.containers.items() %}

34
salt/docker/init.sls
View File

@@ -12,7 +12,28 @@ dockergroup:
- name: docker
- gid: 920
{% if GLOBALS.os == 'Ubuntu' %}
{% if GLOBALS.os_family == 'Debian' %}
{% if grains.oscodename == 'bookworm' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.6.21-1
- docker-ce: 5:24.0.3-1~debian.12~bookworm
- docker-ce-cli: 5:24.0.3-1~debian.12~bookworm
- docker-ce-rootless-extras: 5:24.0.3-1~debian.12~bookworm
- hold: True
- update_holds: True
{% elif grains.oscodename == 'jammy' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.6.21-1
- docker-ce: 5:24.0.2-1~ubuntu.22.04~jammy
- docker-ce-cli: 5:24.0.2-1~ubuntu.22.04~jammy
- docker-ce-rootless-extras: 5:24.0.2-1~ubuntu.22.04~jammy
- hold: True
- update_holds: True
{% else %}
dockerheldpackages:
pkg.installed:
- pkgs:
@@ -22,14 +43,15 @@ dockerheldpackages:
- docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
- hold: True
- update_holds: True
{% endif %}
{% else %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.6.21-3.1.el9
- docker-ce: 24.0.2-1.el9
- docker-ce-cli: 24.0.2-1.el9
- docker-ce-rootless-extras: 24.0.2-1.el9
- docker-ce: 24.0.4-1.el9
- docker-ce-cli: 24.0.4-1.el9
- docker-ce-rootless-extras: 24.0.4-1.el9
- hold: True
- update_holds: True
{% endif %}
@@ -80,8 +102,8 @@ dockerreserveports:
sos_docker_net:
docker_network.present:
- name: sobridge
- subnet: {{ DOCKER.sorange }}
- gateway: {{ DOCKER.sobip }}
- subnet: {{ DOCKER.range }}
- gateway: {{ DOCKER.gateway }}
- options:
com.docker.network.bridge.name: 'sobridge'
com.docker.network.driver.mtu: '1500'

14
salt/docker/soc_docker.yaml
View File

@@ -1,20 +1,12 @@
docker:
bip:
description: Bind IP for the default docker interface.
gateway:
description: Gateway for the default docker interface.
helpLink: docker.html
advanced: True
range:
description: Default docker IP range for containers.
helpLink: docker.html
advanced: True
sobip:
description: Bind IP for the SO docker interface.
helpLink: docker.html
advanced: True
sorange:
description: IP range for the SO docker containers.
helpLink: docker.html
advanced: True
containers:
so-curator: &dockerOptions
final_octet:
@@ -68,4 +60,4 @@ docker:
so-strelka-filestream: *dockerOptions
so-strelka-frontend: *dockerOptions
so-strelka-gatekeeper: *dockerOptions
so-strelka-manager: *dockerOptions
so-strelka-manager: *dockerOptions

10
salt/elasticagent/config.sls
View File

@@ -28,6 +28,15 @@ elasticagentconfdir:
- group: 939
- makedirs: True
elasticagent_sbin_jinja:
file.recurse:
- name: /usr/sbin
- source: salt://elasticagent/tools/sbin_jinja
- user: 949
- group: 939
- file_mode: 755
- template: jinja
# Create config
create-elastic-agent-config:
file.managed:
@@ -37,7 +46,6 @@ create-elastic-agent-config:
- group: 939
- template: jinja
{% else %}
{{sls}}_state_not_allowed:

7
salt/elasticagent/enabled.sls
View File

@@ -33,19 +33,22 @@ so-elastic-agent:
{% endif %}
- binds:
- /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
- /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
- /nsm:/nsm:ro
{% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
- {{ BIND }}
{% endfor %}
{% endif %}
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
- environment:
- FLEET_CA=/etc/pki/tls/certs/intca.crt
{% if DOCKER.containers['so-elastic-agent'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
- {{ XTRAENV }}
{% endfor %}
{% endif %}
- watch:
- file: create-elastic-agent-config
delete_so-elastic-agent_so-status.disabled:
file.uncomment:

2
salt/elasticagent/files/elastic-agent.yml.jinja
View File

@@ -11,7 +11,7 @@ outputs:
- 'https://{{ GLOBALS.hostname }}:9200'
username: '{{ ES_USER }}'
password: '{{ ES_PASS }}'
ssl.verification_mode: none
ssl.verification_mode: full
output_permissions: {}
agent:
download:

16
salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
{% else %}
/bin/elastic-agent inspect
{% endif %}

9
salt/elasticagent/tools/sbin/so-elastic-agent-restart → salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart
View File

@@ -5,6 +5,13 @@
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
/usr/sbin/so-restart elastic-agent $1
{% if grains.role == 'so-heavynode' %}
/usr/sbin/so-stop elastic-agent $1
/usr/sbin/so-start elasticagent $1
{% else %}
service elastic-agent restart
{% endif %}

7
salt/elasticagent/tools/sbin/so-elastic-agent-start → salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start
View File

@@ -9,4 +9,9 @@
. /usr/sbin/so-common
/usr/sbin/so-start elastic-agent $1
{% if grains.role == 'so-heavynode' %}
/usr/sbin/so-start elasticagent $1
{% else %}
service elastic-agent start
{% endif %}

17
salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
{% else %}
/bin/elastic-agent status
{% endif %}

5
salt/elasticagent/tools/sbin/so-elastic-agent-stop → salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop
View File

@@ -9,4 +9,9 @@
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
/usr/sbin/so-stop elastic-agent $1
{% else %}
service elastic-agent stop
{% endif %}

17
salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
{% else %}
/bin/elastic-agent version
{% endif %}

7
salt/elasticfleet/config.sls
View File

@@ -45,6 +45,13 @@ eaconfdir:
- group: 939
- makedirs: True
ealogdir:
file.directory:
- name: /opt/so/log/elasticfleet
- user: 947
- group: 939
- makedirs: True
eastatedir:
file.directory:
- name: /opt/so/conf/elastic-fleet/state

1
salt/elasticfleet/defaults.yaml
View File

@@ -28,6 +28,7 @@ elasticfleet:
- aws
- azure
- cloudflare
- endpoint
- fim
- github
- google_workspace

33
salt/elasticfleet/enabled.sls
View File

@@ -16,14 +16,25 @@ include:
- elasticfleet.config
- elasticfleet.sostatus
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval'] %}
# If enabled, automatically update Fleet Logstash Outputs
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
so-elastic-fleet-auto-configure-logstash-outputs:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-outputs-update
{% endif %}
#so-elastic-fleet-auto-configure-server-urls:
# cmd.run:
# - name: /usr/sbin/so-elastic-fleet-urls-update
# If enabled, automatically update Fleet Server URLs & ES Connection
{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-fleet'] %}
so-elastic-fleet-auto-configure-server-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-urls-update
{% endif %}
# Automatically update Fleet Server Elasticsearch URLs
{% if grains.role not in ['so-fleet'] %}
so-elastic-fleet-auto-configure-elasticsearch-urls:
cmd.run:
- name: /usr/sbin/so-elastic-fleet-es-url-update
{% endif %}
{% if SERVICETOKEN != '' %}
@@ -51,7 +62,11 @@ so-elastic-fleet:
{% endfor %}
- binds:
- /etc/pki:/etc/pki:ro
{% if GLOBALS.os_family == 'Debian' %}
- /etc/ssl:/etc/ssl:ro
{% endif %}
#- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
- /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs
{% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
{% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
- {{ BIND }}
@@ -59,14 +74,20 @@ so-elastic-fleet:
{% endif %}
- environment:
- FLEET_SERVER_ENABLE=true
- FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
- FLEET_URL=https://{{ GLOBALS.hostname }}:8220
- FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
- FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
- FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
- FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
{% if GLOBALS.os_family == 'Debian' %}
- FLEET_CA=/etc/ssl/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
{% else %}
- FLEET_CA=/etc/pki/tls/certs/intca.crt
- FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
{% endif %}
- LOGS_PATH=logs
{% if DOCKER.containers['so-elastic-fleet'].extra_env %}
{% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
- {{ XTRAENV }}

38
salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json
View File

@@ -13,9 +13,14 @@
"system.auth": {
"enabled": true,
"vars": {
"ignore_older": "72h",
"paths": [
"/var/log/auth.log*",
"/var/log/secure*"
],
"preserve_original_event": false,
"tags": [
"system-auth"
]
}
},
@@ -24,34 +29,49 @@
"vars": {
"paths": [
"/var/log/messages*",
"/var/log/syslog*"
]
"/var/log/syslog*",
"/var/log/system*"
],
"tags": [],
"ignore_older": "72h"
}
}
}
},
"system-winlog": {
"enabled": true,
"vars": {
"preserve_original_event": false
},
"streams": {
"system.application": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.security": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
},
"system.system": {
"enabled": true,
"vars": {
"preserve_original_event": false,
"ignore_older": "72h",
"language": 0,
"tags": []
}
}
}
},
"system-system/metrics": {
"enabled": false
}
},
"system-system/metrics": {
"enabled": false
}
}
}

2
salt/elasticfleet/install_agent_grid.sls
View File

@@ -14,12 +14,14 @@ run_installer:
- name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
- cwd: /opt/so
- args: -token={{ GRIDNODETOKENGENERAL }}
- retry: True
{% else %}
run_installer:
cmd.script:
- name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
- cwd: /opt/so
- args: -token={{ GRIDNODETOKENHEAVY }}
- retry: True
{% endif %}
{% endif %}

4
salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load
View File

@@ -35,9 +35,7 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
else
printf "\n\nIntegration does not exist - Creating integration\n"
if [ "$NAME" != "elasticsearch-logs" ]; then
elastic_fleet_integration_create "@$INTEGRATION"
fi
elastic_fleet_integration_create "@$INTEGRATION"
fi
done
if [[ "$RETURN_CODE" != "1" ]]; then

16
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
{% else %}
/bin/elastic-agent inspect
{% endif %}

16
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart Executable file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent service elastic-agent restart
{% else %}
service elastic-agent restart
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent service elastic-agent start
{% else %}
service elastic-agent start
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
{% else %}
/bin/elastic-agent status
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent service elastic-agent stop
{% else %}
service elastic-agent stop
{% endif %}

17
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version Executable file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
. /usr/sbin/so-elastic-fleet-common
{% if grains.role == 'so-heavynode' %}
docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
{% else %}
/bin/elastic-agent version
{% endif %}

53
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update Normal file
View File

@@ -0,0 +1,53 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
function update_es_urls() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
# Update Fleet Elasticsearch URLs
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
# Get current list of Fleet Elasticsearch URLs
RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch')
# Check to make sure that the server responded with good data - else, bail from script
CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
if [ "$CHECKSUM" != "so-manager_elasticsearch" ]; then
printf "Failed to query for current Fleet Server Elasticsearch URLs..."
exit 1
fi
# Get the current list of Fleet Server Elasticsearch & hash them
CURRENT_LIST=$(jq -c -r '.item.hosts' <<< "$RAW_JSON")
CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
# Create array & add initial elements
NEW_LIST=("https://{{ GLOBALS.hostname }}:9200")
# Sort & hash the new list of Fleet Elasticsearch URLs
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
exit 0
else
printf "\nHashes don't match - update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_es_urls
fi

12
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update
View File

@@ -4,6 +4,14 @@
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
function update_logstash_outputs() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-logstash","type":"logstash","hosts": $UPDATEDLIST,"is_default":true,"is_default_monitoring":true,"config_yaml":""}')
@@ -27,10 +35,10 @@ CURRENT_LIST=$(jq -c -r '.item.hosts' <<< "$RAW_JSON")
CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
# Create array & add initial elements
if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
NEW_LIST=("{{ GLOBALS.url_base }}:5055")
else
NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.manager_ip }}:5055")
NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
fi
{% if CUSTOMFQDN != "" %}

20
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -6,6 +6,12 @@
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% if GLOBALS.os_family == 'Debian' %}
INTCA=/etc/ssl/certs/intca.crt
{% else %}
INTCA=/etc/pki/tls/certs/intca.crt
{% endif %}
. /usr/sbin/so-elastic-fleet-common
printf "\n### Create ES Token ###\n"
@@ -13,7 +19,7 @@ ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5
### Create Outputs & Fleet URLs ###
printf "\nAdd Manager Elasticsearch Output...\n"
ESCACRT=$(openssl x509 -in /etc/pki/tls/certs/intca.crt)
ESCACRT=$(openssl x509 -in $INTCA)
JSON_STRING=$( jq -n \
--arg ESCACRT "$ESCACRT" \
'{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
@@ -22,9 +28,9 @@ printf "\n\n"
printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n"
{% if grains.role not in ['so-import', 'so-eval'] %}
LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-agent.crt)
LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-agent.key)
LOGSTASHCA=$(openssl x509 -in /etc/pki/tls/certs/intca.crt)
LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
LOGSTASHKEY=$(openssl rsa -in /etc/pki/elasticfleet-logstash.key)
LOGSTASHCA=$(openssl x509 -in $INTCA)
JSON_STRING=$( jq -n \
--arg LOGSTASHCRT "$LOGSTASHCRT" \
--arg LOGSTASHKEY "$LOGSTASHKEY" \
@@ -35,12 +41,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl
printf "\n\n"
{%- endif %}
# Add Manager IP & URL Base to Fleet Host URLs
# Add Manager Hostname & URL Base to Fleet Host URLs
printf "\nAdd SO-Manager Fleet URL\n"
if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}')
else
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}')
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.hostname }}:8220"]}')
fi
## This array replaces whatever URLs are currently configured

74
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update Normal file
View File

@@ -0,0 +1,74 @@
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
# this file except in compliance with the Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
. /usr/sbin/so-common
# Only run on Managers
if ! is_manager_node; then
printf "Not a Manager Node... Exiting"
exit 0
fi
function update_fleet_urls() {
# Generate updated JSON payload
JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-default","is_default":true,"host_urls": $UPDATEDLIST}')
# Update Fleet Server URLs
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/grid-default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
}
# Get current list of Fleet Server URLs
RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default')
# Check to make sure that the server responded with good data - else, bail from script
CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
if [ "$CHECKSUM" != "grid-default" ]; then
printf "Failed to query for current Fleet Server URLs..."
exit 1
fi
# Get the current list of Fleet Server URLs & hash them
CURRENT_LIST=$(jq -c -r '.item.host_urls' <<< "$RAW_JSON")
CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
# Create array & add initial elements
if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
NEW_LIST=("https://{{ GLOBALS.url_base }}:8220")
else
NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220")
fi
{% if CUSTOMFQDN != "" %}
# Add Custom Hostname to list
NEW_LIST+=("https://{{ CUSTOMFQDN }}:8220")
{% endif %}
# Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local')
# Query for Fleet Nodes & add them to the list (Hostname)
if grep -q "fleet" <<< $LOGSTASHNODES; then
readarray -t FLEETNODES < <(jq -r ' .fleet | keys_unsorted[]' <<< $LOGSTASHNODES)
for NODE in "${FLEETNODES[@]}"
do
NEW_LIST+=("https://$NODE:8220")
done
fi
# Sort & hash the new list of Fleet Server URLs
NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
# Compare the current & new list of URLs - if different, update the Fleet Server URLs
if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
printf "\nHashes match - no update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
exit 0
else
printf "\nHashes don't match - update needed.\n"
printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
update_fleet_urls
fi

394
salt/elasticsearch/defaults.yaml
View File

@@ -81,6 +81,8 @@ elasticsearch:
managed: true
composed_of:
- "so-data-streams-mappings"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
- "so-logs-mappings"
- "so-logs-settings"
priority: 225
@@ -1312,6 +1314,398 @@ elasticsearch:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.alerts:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.alerts-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.alerts@custom"
- "logs-endpoint.alerts@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.api:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.api-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.api@custom"
- "logs-endpoint.events.api@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.file:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.file-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.file@custom"
- "logs-endpoint.events.file@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.library:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.library-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.library@custom"
- "logs-endpoint.events.library@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.network:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.network-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.network@custom"
- "logs-endpoint.events.network@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.process:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.process-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.process@custom"
- "logs-endpoint.events.process@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.registry:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.registry-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.registry@custom"
- "logs-endpoint.events.registry@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint.events.security:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.security-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.security@custom"
- "logs-endpoint.events.security@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent.filebeat:
index_sorting: False
index_template:

8
salt/elasticsearch/files/ingest/.fleet_final_pipeline-1
View File

@@ -72,8 +72,12 @@
{ "set": { "ignore_failure": true, "field": "event.module", "value": "elastic_agent" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp" } },
{ "set": { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
{ "split": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}" } },
{ "gsub": { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
{ "append": { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}" } },
{ "set": { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
{ "set": { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
{ "set": { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
{ "remove": { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } }
],
"on_failure": [

3
salt/elasticsearch/files/ingest/strelka.file
View File

@@ -63,7 +63,8 @@
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69", "field": "event.severity", "value": 2, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89", "field": "event.severity", "value": 3, "override": true } },
{ "set": { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90", "field": "event.severity", "value": 4, "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": 0.0, "override": true } },
{ "set": { "if": "ctx.scan?.entropy?.entropy == 0", "field": "scan.entropy.entropy", "value": "0.0", "override": true } },
{ "set": { "if": "ctx.scan?.pe?.image_version == 0", "field": "scan.pe.image_version", "value": "0.0", "override": true } },
{ "set": { "field": "observer.name", "value": "{{agent.name}}" }},
{ "convert" : { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
{ "remove": { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"], "ignore_missing": true } },

90
salt/elasticsearch/templates/component/ecs/agent.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"agent": {
@@ -52,69 +12,33 @@
"properties": {
"original": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

738
salt/elasticsearch/templates/component/ecs/aws.json
View File

File diff suppressed because it is too large Load Diff

954
salt/elasticsearch/templates/component/ecs/azure.json
View File

File diff suppressed because it is too large Load Diff

50
salt/elasticsearch/templates/component/ecs/base.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"@timestamp": {
@@ -57,15 +17,9 @@
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}

1226
salt/elasticsearch/templates/component/ecs/cef.json
View File

File diff suppressed because it is too large Load Diff

2706
salt/elasticsearch/templates/component/ecs/checkpoint.json
View File

File diff suppressed because it is too large Load Diff

850
salt/elasticsearch/templates/component/ecs/cisco.json
View File

File diff suppressed because it is too large Load Diff

252
salt/elasticsearch/templates/component/ecs/client.json
View File

@@ -4,59 +4,13 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"client": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"as": {
"properties": {
@@ -66,12 +20,6 @@
"organization": {
"properties": {
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@@ -84,118 +32,52 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -204,13 +86,7 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nat": {
"properties": {
@@ -230,63 +106,27 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -294,75 +134,33 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -371,4 +169,4 @@
}
}
}
}
}

130
salt/elasticsearch/templates/component/ecs/cloud.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"cloud": {
@@ -52,57 +12,27 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"availability_zone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"instance": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -110,13 +40,7 @@
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -124,57 +48,27 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"service": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -183,4 +77,4 @@
}
}
}
}
}

82
salt/elasticsearch/templates/component/ecs/container.json
View File

@@ -4,81 +4,23 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"container": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -87,27 +29,15 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"runtime": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

546
salt/elasticsearch/templates/component/ecs/cyberark.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"cyberarkpas": {
@@ -52,565 +12,241 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ca_properties": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cpm_disabled": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cpm_error_details": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cpm_status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"creation_method": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"customer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"database": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"device_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dual_account_status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"group_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"in_process": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"last_fail_date": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"last_success_change": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"last_success_reconciliation": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"last_success_verification": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"last_task": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"logon_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"other": {
"type": "flattened"
},
"policy_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"port": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"privcloud": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reset_immediately": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"retries_count": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sequence_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"user_dn": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"user_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"virtual_username": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"desc": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"extra_details": {
"properties": {
"ad_process_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ad_process_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"command": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"connection_component_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dst_host": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"logon_account": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"managed_account": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"other": {
"type": "flattened"
},
"process_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"process_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"psmid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"session_duration": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"src_host": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"file": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"gateway_station": {
"type": "ip"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"iso_timestamp": {
"type": "date"
},
"issuer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"message_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"pvwa_details": {
"type": "flattened"
@@ -619,99 +255,45 @@
"doc_values": false,
"ignore_above": 4096,
"index": false,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reason": {
"norms": false,
"type": "text",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "text"
},
"rfc5424": {
"type": "boolean"
},
"safe": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"source_user": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"station": {
"type": "ip"
},
"target_user": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timestamp": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -720,4 +302,4 @@
}
}
}
}
}

42
salt/elasticsearch/templates/component/ecs/data_stream.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"data_stream": {
@@ -62,4 +22,4 @@
}
}
}
}
}

252
salt/elasticsearch/templates/component/ecs/destination.json
View File

@@ -4,59 +4,13 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"destination": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"as": {
"properties": {
@@ -66,12 +20,6 @@
"organization": {
"properties": {
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@@ -84,118 +32,52 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -204,13 +86,7 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nat": {
"properties": {
@@ -230,63 +106,27 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -294,75 +134,33 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -371,4 +169,4 @@
}
}
}
}
}

194
salt/elasticsearch/templates/component/ecs/dll.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"dll": {
@@ -52,56 +12,26 @@
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timestamp": {
"type": "date"
@@ -118,147 +48,63 @@
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"pe": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -267,4 +113,4 @@
}
}
}
}
}

162
salt/elasticsearch/templates/component/ecs/dns.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"dns": {
@@ -52,141 +12,63 @@
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ttl": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
},
"type": "object"
},
"header_flags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"op_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"question": {
"properties": {
"class": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -195,27 +77,15 @@
},
"response_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

50
salt/elasticsearch/templates/component/ecs/ecs.json
View File

@@ -4,63 +4,17 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

50
salt/elasticsearch/templates/component/ecs/elasticsearch.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"@timestamp": {
@@ -57,15 +17,9 @@
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}

70
salt/elasticsearch/templates/component/ecs/error.json
View File

@@ -4,79 +4,23 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"error": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"message": {
"type": "match_only_text"
},
"stack_trace": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": {
"type": "match_only_text"
}
@@ -85,17 +29,11 @@
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

178
salt/elasticsearch/templates/component/ecs/event.json
View File

@@ -4,102 +4,32 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"event": {
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"created": {
"type": "date"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"duration": {
"type": "long"
@@ -109,97 +39,43 @@
},
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ingested": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"provider": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"risk_score": {
"type": "float"
@@ -218,37 +94,19 @@
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

614
salt/elasticsearch/templates/component/ecs/file.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"file": {
@@ -53,68 +13,32 @@
},
"attributes": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"code_signature": {
"properties": {
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timestamp": {
"type": "date"
@@ -135,65 +59,29 @@
},
"device": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"elf": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"creation_date": {
"type": "date"
@@ -205,76 +93,34 @@
"properties": {
"abi_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"object_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -291,46 +137,22 @@
},
"flags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"virtual_address": {
"type": "long"
@@ -345,203 +167,89 @@
"properties": {
"sections": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
},
"type": "nested"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"extension": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"group": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"inode": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mtime": {
"type": "date"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"path": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -549,73 +257,31 @@
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"file_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -623,118 +289,52 @@
"type": "long"
},
"target_path": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -746,23 +346,11 @@
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
@@ -774,107 +362,47 @@
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -883,4 +411,4 @@
}
}
}
}
}

2466
salt/elasticsearch/templates/component/ecs/fortinet.json
View File

File diff suppressed because it is too large Load Diff

370
salt/elasticsearch/templates/component/ecs/gcp.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"gcp": {
@@ -54,35 +14,17 @@
"properties": {
"authority_selector": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"principal_email": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"method_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"num_response_items": {
"type": "long"
@@ -91,43 +33,19 @@
"properties": {
"filter": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -138,13 +56,7 @@
},
"caller_supplied_user_agent": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -152,25 +64,13 @@
"properties": {
"current_locations": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"resource_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"response": {
"properties": {
@@ -178,77 +78,35 @@
"properties": {
"group": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"kind": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"proto_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"service_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"properties": {
@@ -257,25 +115,13 @@
},
"message": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -285,33 +131,15 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -319,33 +147,15 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -357,96 +167,42 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"destination_range": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"priority": {
"type": "long"
},
"reference": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"source_range": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"source_service_account": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"source_tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"target_service_account": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"target_tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -458,33 +214,15 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"zone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -492,33 +230,15 @@
"properties": {
"project_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subnetwork_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"vpc_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -528,13 +248,7 @@
"properties": {
"reporter": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rtt": {
"properties": {
@@ -550,4 +264,4 @@
}
}
}
}
}

1002
salt/elasticsearch/templates/component/ecs/google_workspace.json
View File

File diff suppressed because it is too large Load Diff

66
salt/elasticsearch/templates/component/ecs/group.json
View File

@@ -4,83 +4,25 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

306
salt/elasticsearch/templates/component/ecs/host.json
View File

@@ -4,59 +4,13 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"host": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cpu": {
"properties": {
@@ -86,163 +40,73 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"network": {
"properties": {
@@ -272,85 +136,37 @@
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"uptime": {
"type": "long"
@@ -359,31 +175,13 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -391,75 +189,33 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -468,4 +224,4 @@
}
}
}
}
}

98
salt/elasticsearch/templates/component/ecs/http.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"http": {
@@ -57,10 +17,6 @@
},
"content": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": {
"type": "match_only_text"
}
@@ -74,43 +30,19 @@
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"referrer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -123,10 +55,6 @@
},
"content": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": {
"type": "match_only_text"
}
@@ -140,13 +68,7 @@
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status_code": {
"type": "long"
@@ -155,17 +77,11 @@
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

602
salt/elasticsearch/templates/component/ecs/juniper.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"juniper": {
@@ -52,113 +12,47 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"action_detail": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"alert": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"apbr_rule_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_characteristics": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_sub_category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"attack_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"client_ip": {
"type": "ip"
@@ -168,181 +62,85 @@
},
"connection_tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"context_hit_rate": {
"type": "long"
},
"context_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"context_value": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"context_value_hit_rate": {
"type": "long"
},
"ddos_application_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dscp_value": {
"type": "long"
},
"dst_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dst_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dst_vrf_grp": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"elapsed_time": {
"type": "date"
},
"encrypted": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"epoch_time": {
"type": "date"
},
"error_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"error_message": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"export_id": {
"type": "long"
},
"feed_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"file_category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"file_hash_lookup": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"file_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"filename": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"hostname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"icmp_type": {
"type": "long"
@@ -355,93 +153,39 @@
},
"index": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"logical_system_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"malware_info": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"message": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"message_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nat_connection_tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nested_application": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"obj": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"occur_count": {
"type": "long"
@@ -463,13 +207,7 @@
},
"peer_session_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"peer_source_address": {
"type": "ip"
@@ -479,286 +217,118 @@
},
"policy_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"process": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"profile": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"profile_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"protocol_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"protocol_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reason": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"repeat_count": {
"type": "long"
},
"roles": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"routing_instance": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rule_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ruleebase_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sample_sha256": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"secure_web_proxy_session_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"service_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"session_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"session_id_32": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"src_nat_rule_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"src_nat_rule_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"src_vrf_grp": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sub_category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"temporary_filename": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tenant_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"th": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"threat_severity": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"time_count": {
"type": "long"
@@ -768,26 +338,14 @@
},
"time_scope": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"uplink_rx_bytes": {
"type": "long"
@@ -797,36 +355,18 @@
},
"url": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"verdict_number": {
"type": "long"
},
"verdict_source": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -835,4 +375,4 @@
}
}
}
}
}

138
salt/elasticsearch/templates/component/ecs/kibana.json
View File

@@ -4,99 +4,29 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"kibana": {
"properties": {
"add_to_spaces": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"authentication_realm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"authentication_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"delete_from_spaces": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"log": {
"properties": {
@@ -105,83 +35,41 @@
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"lookup_realm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"saved_object": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"session_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"space_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

106
salt/elasticsearch/templates/component/ecs/log.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"log": {
@@ -52,35 +12,17 @@
"properties": {
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"level": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"logger": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"origin": {
"properties": {
@@ -91,38 +33,20 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"function": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"index": false,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"syslog": {
"properties": {
@@ -133,13 +57,7 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -153,13 +71,7 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -171,4 +83,4 @@
}
}
}
}
}

114
salt/elasticsearch/templates/component/ecs/logstash.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"logstash": {
@@ -54,44 +14,20 @@
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
},
"type": "object"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"pipeline_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"thread": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@@ -100,42 +36,18 @@
"slowlog": {
"properties": {
"event": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"plugin_params": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -144,21 +56,9 @@
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"thread": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -172,4 +72,4 @@
}
}
}
}
}

458
salt/elasticsearch/templates/component/ecs/microsoft.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"microsoft": {
@@ -52,156 +12,72 @@
"properties": {
"assignedTo": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"evidence": {
"properties": {
"aadUserId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"accountName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"domainName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ipAddress": {
"type": "ip"
},
"userPrincipalName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"lastUpdateTime": {
"type": "date"
},
"rbacGroupName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -211,56 +87,26 @@
"properties": {
"actorName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"creationTime": {
"type": "date"
},
"detectionSource": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"devices": {
"type": "flattened"
@@ -269,343 +115,145 @@
"properties": {
"accountName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"clusterBy": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"deliveryAction": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"deviceId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"entityType": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ipAddress": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mailboxAddress": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mailboxDisplayName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"recipient": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"registryHive": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"registryKey": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"registryValueType": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"securityGroupId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"securityGroupName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sender": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"investigationId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"lastUpdatedTime": {
"type": "date"
},
"mitreTechniques": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"resolvedTime": {
"type": "date"
},
"severity": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"threatFamilyName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"userSid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"assignedTo": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"determination": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"incidentId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"incidentName": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"investigationState": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"redirectIncidentId": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -614,4 +262,4 @@
}
}
}
}
}

690
salt/elasticsearch/templates/component/ecs/misp.json
View File

File diff suppressed because it is too large Load Diff

418
salt/elasticsearch/templates/component/ecs/netflow.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"netflow": {
@@ -74,56 +34,26 @@
},
"application_category_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_group_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_id": {
"type": "short"
},
"application_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"application_sub_category_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"bgp_destination_as_number": {
"type": "long"
@@ -154,13 +84,7 @@
},
"class_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"classification_engine_id": {
"type": "short"
@@ -227,13 +151,7 @@
},
"destination_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"destination_transport_port": {
"type": "long"
@@ -264,26 +182,14 @@
},
"dot1q_customer_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dot1q_customer_priority": {
"type": "short"
},
"dot1q_customer_source_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dot1q_customer_vlan_id": {
"type": "long"
@@ -347,13 +253,7 @@
},
"encrypted_technology": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"engine_id": {
"type": "short"
@@ -398,13 +298,7 @@
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"source_id": {
"type": "long"
@@ -572,76 +466,34 @@
},
"http_content_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http_message_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http_reason_phrase": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http_request_host": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http_request_method": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http_request_target": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http_status_code": {
"type": "long"
},
"http_user_agent": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"icmp_code_ipv4": {
"type": "short"
@@ -684,13 +536,7 @@
},
"information_element_description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"information_element_id": {
"type": "long"
@@ -700,13 +546,7 @@
},
"information_element_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"information_element_range_begin": {
"type": "long"
@@ -749,23 +589,11 @@
},
"interface_description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"interface_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"intermediate_process_id": {
"type": "long"
@@ -913,13 +741,7 @@
},
"metro_evc_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"metro_evc_type": {
"type": "short"
@@ -932,59 +754,29 @@
},
"mib_context_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mib_index_indicator": {
"type": "long"
},
"mib_module_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mib_object_description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mib_object_identifier": {
"type": "short"
},
"mib_object_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mib_object_syntax": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mib_object_value_bits": {
"type": "short"
@@ -1042,23 +834,11 @@
},
"mobile_imsi": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mobile_msisdn": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"monitoring_interval_end_milli_seconds": {
"type": "date"
@@ -1149,13 +929,7 @@
},
"nat_pool_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nat_quota_exceeded_event": {
"type": "long"
@@ -1189,13 +963,7 @@
},
"observation_domain_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"observation_point_id": {
"type": "long"
@@ -1253,13 +1021,7 @@
},
"p2p_technology": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"packet_delta_count": {
"type": "long"
@@ -1290,13 +1052,7 @@
},
"post_destination_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"post_dot1q_customer_vlan_id": {
"type": "long"
@@ -1372,13 +1128,7 @@
},
"post_source_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"post_vlan_id": {
"type": "long"
@@ -1430,13 +1180,7 @@
},
"sampler_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sampler_random_interval": {
"type": "long"
@@ -1503,13 +1247,7 @@
},
"selector_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"session_scope": {
"type": "short"
@@ -1534,13 +1272,7 @@
},
"source_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"source_transport_port": {
"type": "long"
@@ -1556,13 +1288,7 @@
},
"sta_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"system_init_time_milliseconds": {
"type": "date"
@@ -1629,23 +1355,11 @@
},
"tunnel_technology": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"udp_destination_port": {
"type": "long"
@@ -1661,13 +1375,7 @@
},
"user_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"value_distribution_method": {
"type": "short"
@@ -1677,23 +1385,11 @@
},
"virtual_station_interface_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"virtual_station_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"virtual_station_uuid": {
"type": "short"
@@ -1706,40 +1402,22 @@
},
"vr_fname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"wlan_channel_id": {
"type": "short"
},
"wlan_ssid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"wtp_mac_address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

138
salt/elasticsearch/templates/component/ecs/network.json
View File

@@ -4,95 +4,31 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"network": {
"properties": {
"application": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"bytes": {
"type": "long"
},
"community_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"direction": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"forwarded_ip": {
"type": "ip"
},
"iana_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"inner": {
"properties": {
@@ -100,23 +36,11 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -125,68 +49,32 @@
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"packets": {
"type": "long"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"transport": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"vlan": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -195,4 +83,4 @@
}
}
}
}
}

738
salt/elasticsearch/templates/component/ecs/o365.json
View File

File diff suppressed because it is too large Load Diff

334
salt/elasticsearch/templates/component/ecs/observer.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"observer": {
@@ -54,33 +14,15 @@
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -88,35 +30,17 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
},
"type": "object"
@@ -125,118 +49,52 @@
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ingress": {
"properties": {
@@ -244,33 +102,15 @@
"properties": {
"alias": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -278,35 +118,17 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
},
"type": "object"
@@ -316,151 +138,67 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"os": {
"properties": {
"family": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"kernel": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"product": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"vendor": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

410
salt/elasticsearch/templates/component/ecs/okta.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"okta": {
@@ -52,43 +12,19 @@
"properties": {
"alternate_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"display_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -96,56 +32,26 @@
"properties": {
"authentication_provider": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"authentication_step": {
"type": "long"
},
"credential_provider": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"credential_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"external_session_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"interface": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -153,23 +59,11 @@
"properties": {
"device": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ip": {
"type": "ip"
@@ -178,45 +72,21 @@
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"raw_user_agent": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"zone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -226,75 +96,33 @@
"properties": {
"device_fingerprint": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"request_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"request_uri": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"suspicious_activity": {
"properties": {
"browser": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_city": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_ip": {
"type": "ip"
@@ -307,43 +135,19 @@
},
"event_state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_transaction_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"os": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timestamp": {
"type": "date"
@@ -352,23 +156,11 @@
},
"threat_suspected": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -376,45 +168,21 @@
},
"display_message": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"event_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"outcome": {
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"result": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -426,46 +194,22 @@
"properties": {
"city": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"geolocation": {
"type": "geo_point"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -474,23 +218,11 @@
},
"source": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -507,13 +239,7 @@
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -521,38 +247,20 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"is_proxy": {
"type": "boolean"
},
"isp": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"severity": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"target": {
"type": "flattened"
@@ -561,49 +269,25 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"uuid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

114
salt/elasticsearch/templates/component/ecs/orchestrator.json
View File

@@ -4,151 +4,57 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"orchestrator": {
"properties": {
"api_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cluster": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"url": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"namespace": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"resource": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

56
salt/elasticsearch/templates/component/ecs/organization.json
View File

@@ -4,67 +4,15 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"organization": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@@ -73,4 +21,4 @@
}
}
}
}
}

130
salt/elasticsearch/templates/component/ecs/package.json
View File

@@ -4,169 +4,63 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"package": {
"properties": {
"architecture": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"build_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"install_scope": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"installed": {
"type": "date"
},
"license": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

706
salt/elasticsearch/templates/component/ecs/process.json
View File

File diff suppressed because it is too large Load Diff

74
salt/elasticsearch/templates/component/ecs/redis.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"redis": {
@@ -52,13 +12,7 @@
"properties": {
"role": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -66,23 +20,11 @@
"properties": {
"args": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cmd": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"duration": {
"properties": {
@@ -96,13 +38,7 @@
},
"key": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -111,4 +47,4 @@
}
}
}
}
}

90
salt/elasticsearch/templates/component/ecs/registry.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"registry": {
@@ -52,72 +12,36 @@
"properties": {
"bytes": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"strings": {
"type": "wildcard"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hive": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"value": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

66
salt/elasticsearch/templates/component/ecs/related.json
View File

@@ -4,86 +4,28 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"related": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"hosts": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

122
salt/elasticsearch/templates/component/ecs/rule.json
View File

@@ -4,153 +4,53 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"rule": {
"properties": {
"author": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"license": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

252
salt/elasticsearch/templates/component/ecs/server.json
View File

@@ -4,59 +4,13 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"server": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"as": {
"properties": {
@@ -66,12 +20,6 @@
"organization": {
"properties": {
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@@ -84,118 +32,52 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -204,13 +86,7 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nat": {
"properties": {
@@ -230,63 +106,27 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -294,75 +134,33 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -371,4 +169,4 @@
}
}
}
}
}

114
salt/elasticsearch/templates/component/ecs/service.json
View File

@@ -4,147 +4,53 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"service": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"environment": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"node": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

186
salt/elasticsearch/templates/component/ecs/snyk.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"snyk": {
@@ -55,23 +15,11 @@
},
"org_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"project_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -82,13 +30,7 @@
"properties": {
"projects": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -96,68 +38,32 @@
"properties": {
"credit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cvss3": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"disclosure_time": {
"type": "date"
},
"exploit_maturity": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"identifiers": {
"properties": {
"alternative": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cwe": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -184,46 +90,22 @@
},
"jira_issue_url": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"language": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"original_severity": {
"type": "long"
},
"package": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"package_manager": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"patches": {
"type": "flattened"
@@ -236,56 +118,26 @@
},
"reachability": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"semver": {
"type": "flattened"
},
"title": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"unique_severities_list": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -294,4 +146,4 @@
}
}
}
}
}

1146
salt/elasticsearch/templates/component/ecs/sophos.json
View File

File diff suppressed because it is too large Load Diff

252
salt/elasticsearch/templates/component/ecs/source.json
View File

@@ -4,59 +4,13 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"source": {
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"as": {
"properties": {
@@ -66,12 +20,6 @@
"organization": {
"properties": {
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
}
@@ -84,118 +32,52 @@
},
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"geo": {
"properties": {
"city_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"continent_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -204,13 +86,7 @@
},
"mac": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"nat": {
"properties": {
@@ -230,63 +106,27 @@
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"user": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full_name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
@@ -294,75 +134,33 @@
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"name": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
},
"ignore_above": 1024,
"type": "keyword"
},
"roles": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -371,4 +169,4 @@
}
}
}
}
}

586
salt/elasticsearch/templates/component/ecs/suricata.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"suricata": {
@@ -54,268 +14,118 @@
"properties": {
"affected_product": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"attack_target": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"capec_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"classtype": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"created_at": {
"type": "date"
},
"cve": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cvss_v2_base": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cvss_v2_temporal": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cvss_v3_base": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cvss_v3_temporal": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"cwe_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"deployment": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"former_category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"gid": {
"type": "long"
},
"hostile": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"infected": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"malware": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"metadata": {
"type": "flattened"
},
"mitre_tool_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"performance_impact": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"priority": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"protocols": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rev": {
"type": "long"
},
"rule_source": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sid": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"signature": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"signature_id": {
"type": "long"
},
"signature_severity": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"updated_at": {
"type": "date"
@@ -324,43 +134,19 @@
},
"app_proto_expected": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"app_proto_orig": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"app_proto_tc": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"app_proto_ts": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"dns": {
"properties": {
@@ -369,43 +155,19 @@
},
"rcode": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rdata": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rrname": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rrtype": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ttl": {
"type": "long"
@@ -415,13 +177,7 @@
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -429,25 +185,13 @@
"properties": {
"status": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"event_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"fileinfo": {
"properties": {
@@ -456,43 +200,19 @@
},
"md5": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"stored": {
"type": "boolean"
@@ -512,67 +232,31 @@
},
"reason": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"flow_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"http": {
"properties": {
"http_content_type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"redirect": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -584,13 +268,7 @@
},
"in_iface": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"pcap_cnt": {
"type": "long"
@@ -599,33 +277,15 @@
"properties": {
"helo": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"mail_from": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"rcpt_to": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -635,23 +295,11 @@
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -659,23 +307,11 @@
"properties": {
"proto_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"software_version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -1121,46 +757,22 @@
},
"state": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"syn": {
"type": "boolean"
},
"tcp_flags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tcp_flags_tc": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"tcp_flags_ts": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -1168,45 +780,21 @@
"properties": {
"fingerprint": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"issuerdn": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ja3": {
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -1214,23 +802,11 @@
"properties": {
"hash": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"string": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -1242,46 +818,22 @@
},
"serial": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"session_resumed": {
"type": "boolean"
},
"sni": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -1295,4 +847,4 @@
}
}
}
}
}

58
salt/elasticsearch/templates/component/ecs/syslog.json
View File

@@ -4,46 +4,6 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"syslog": {
@@ -53,30 +13,18 @@
},
"facility_label": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"priority": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

2258
salt/elasticsearch/templates/component/ecs/threat.json
View File

File diff suppressed because it is too large Load Diff

546
salt/elasticsearch/templates/component/ecs/tls.json
View File

@@ -4,135 +4,47 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"tls": {
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"client": {
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ja3": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"not_after": {
"type": "date"
@@ -142,117 +54,51 @@
},
"server_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"supported_ciphers": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -264,23 +110,11 @@
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
@@ -292,107 +126,47 @@
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -400,26 +174,14 @@
},
"curve": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"established": {
"type": "boolean"
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"resumed": {
"type": "boolean"
@@ -428,77 +190,35 @@
"properties": {
"certificate": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"hash": {
"properties": {
"md5": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha1": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"ja3s": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"not_after": {
"type": "date"
@@ -508,97 +228,43 @@
},
"subject": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"x509": {
"properties": {
"alternative_names": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"issuer": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -610,23 +276,11 @@
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"public_key_exponent": {
"doc_values": false,
@@ -638,107 +292,47 @@
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subject": {
"properties": {
"common_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"country": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
"version_number": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
@@ -746,27 +340,15 @@
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"version_protocol": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

66
salt/elasticsearch/templates/component/ecs/tracing.json
View File

@@ -4,59 +4,13 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"span": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -64,13 +18,7 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
},
@@ -78,17 +26,11 @@
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

130
salt/elasticsearch/templates/component/ecs/url.json
View File

@@ -4,86 +4,24 @@
"ecs_version": "1.12.2"
},
"template": {
"settings": {
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [
"whitespace_no_way"
],
"filter": [
"lowercase",
"trim"
],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter": {
"path_hierarchy_pattern_filter": {
"type": "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings": {
"properties": {
"url": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"full": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": {
"type": "match_only_text"
}
@@ -92,10 +30,6 @@
},
"original": {
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
},
"text": {
"type": "match_only_text"
}
@@ -104,13 +38,7 @@
},
"password": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"path": {
"type": "wildcard"
@@ -120,67 +48,31 @@
},
"query": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
"type": "keyword"
}
}
}
}
}
}
}
}

Some files were not shown because too many files have changed in this diff Show More