Merge pull request #10970 from Security-Onion-Solutions/2.4/dev

2.4.5 RC2

DOWNLOAD_AND_VERIFY_ISO.md

@@ -1,18 +1,18 @@
-### 2.4.3-20230711 ISO image built on 2023/07/11
+### 2.4.5-20230807 ISO image released on 2023/08/07
 
 
 
 ### Download and Verify
 
-2.4.3-20230711 ISO image:  
-https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+2.4.5-20230807 ISO image:  
+https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
  
-MD5: F481ED39E02A5AF05EB50D319D97A6C7  
-SHA1: 20F9BAA8F73A44C21A8DFE81F36247BCF33CEDA6  
-SHA256: D805522E02CD4941641385F6FF86FAAC240DA6C5FD98F78460348632C7C631B0 
+MD5: F83FD635025A3A65B380EAFCEB61A92E  
+SHA1: 5864D4CD520617E3328A3D956CAFCC378A8D2D08  
+SHA256: D333BAE0DD198DFD80DF59375456D228A4E18A24EDCDB15852CD4CA3F92B69A7  
 
 Signature for ISO image:  
-https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
 
 Signing key:  
 https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.4/main/KEYS  
@@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/2.
 
 Download the signature file for the ISO:  
 ```
-wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.3-20230711.iso.sig
+wget https://github.com/Security-Onion-Solutions/securityonion/raw/2.4/main/sigs/securityonion-2.4.5-20230807.iso.sig
 ```
 
 Download the ISO image:  
 ```
-wget https://download.securityonion.net/file/securityonion/securityonion-2.4.3-20230711.iso
+wget https://download.securityonion.net/file/securityonion/securityonion-2.4.5-20230807.iso
 ```
 
 Verify the downloaded ISO image using the signature file:  
 ```
-gpg --verify securityonion-2.4.3-20230711.iso.sig securityonion-2.4.3-20230711.iso
+gpg --verify securityonion-2.4.5-20230807.iso.sig securityonion-2.4.5-20230807.iso
 ```
 
 The output should show "Good signature" and the Primary key fingerprint should match what's shown below:
 ```
-gpg: Signature made Tue 11 Jul 2023 06:23:37 PM EDT using RSA key ID FE507013
+gpg: Signature made Sat 05 Aug 2023 10:12:46 AM EDT using RSA key ID FE507013
 gpg: Good signature from "Security Onion Solutions, LLC <info@securityonionsolutions.com>"
 gpg: WARNING: This key is not certified with a trusted signature!
 gpg:          There is no indication that the signature belongs to the owner.

README.md

@@ -1,6 +1,6 @@
-## Security Onion 2.4 Beta 4
+## Security Onion 2.4 Release Candidate 2 (RC2)
 
-Security Onion 2.4 Beta 4 is here!
+Security Onion 2.4 Release Candidate 2 (RC2) is here!
 
 ## Screenshots
 

VERSION

@@ -1 +1 @@
-2.4.3
+2.4.5

salt/_modules/needs_restarting.py

@@ -3,14 +3,14 @@ import subprocess
 
 def check():
 
-  os = __grains__['os']
+  osfam = __grains__['os_family']
   retval = 'False'
 
-  if os == 'Ubuntu':
+  if osfam == 'Debian':
     if path.exists('/var/run/reboot-required'):
       retval = 'True'
 
-  elif os == 'Rocky':
+  elif osfam == 'RedHat':
     cmd = 'needs-restarting -r > /dev/null 2>&1'
     
     try:

salt/common/files/daemon.json

@@ -1,13 +1,11 @@
-{%- set DOCKERRANGE = salt['pillar.get']('docker:range', '172.17.0.0/24') %}
-{%- set DOCKERBIND = salt['pillar.get']('docker:bip', '172.17.0.1/24') %}
 {
   "registry-mirrors": [
     "https://:5000"
   ],
-  "bip": "{{ DOCKERBIND }}",
+  "bip": "172.17.0.1/24",
   "default-address-pools": [
     {
-      "base": "{{ DOCKERRANGE }}",
+      "base": "172.17.0.0/24",
       "size": 24
     }
   ]

salt/common/init.sls

@@ -195,7 +195,7 @@ soversionfile:
 {% endif %}
 
 {% if GLOBALS.so_model and GLOBALS.so_model not in ['SO2AMI01', 'SO2AZI01', 'SO2GCI01'] %}
-  {% if GLOBALS.os == 'Rocky' %}     
+  {% if GLOBALS.os == 'OEL' %}     
 # Install Raid tools
 raidpkgs:
   pkg.installed:
@@ -217,8 +217,7 @@ so-raid-status:
     - month: '*'
     - dayweek: '*'
 
-{% endif %}
-
+  {% endif %}
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/common/packages.sls

@@ -1,6 +1,6 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
@@ -14,16 +14,25 @@ commonpkgs:
       - software-properties-common
       - apt-transport-https
       - openssl
-      - netcat
+      - netcat-openbsd
       - sqlite3
       - libssl-dev
+      - procps
       - python3-dateutil
+      - python3-docker
       - python3-packaging
       - python3-watchdog
       - python3-lxml
       - git
+      - rsync
       - vim
+      - tar
+      - unzip
+      {% if grains.oscodename != 'focal' %}
+      - python3-rich
+      {% endif %}
 
+{%     if grains.oscodename == 'focal' %}
 # since Ubuntu requires and internet connection we can use pip to install modules
 python3-pip:
   pkg.installed
@@ -34,34 +43,46 @@ python-rich:
     - target: /usr/local/lib/python3.8/dist-packages/
     - require:
       - pkg: python3-pip
+{%     endif %}
+{% endif %}
 
-
-{% elif GLOBALS.os == 'Rocky' %}     
+{% if GLOBALS.os_family == 'RedHat' %}
 commonpkgs:
   pkg.installed:
     - skip_suggestions: True
     - pkgs:
-      - wget
-      - jq
-      - tcpdump
-      - httpd-tools
-      - net-tools
       - curl
-      - sqlite
-      - mariadb-devel
-      - python3-dnf-plugin-versionlock
-      - nmap-ncat
-      - yum-utils
       - device-mapper-persistent-data
-      - lvm2
-      - openssl
+      - fuse
+      - fuse-libs
+      - fuse-overlayfs
+      - fuse-common
+      - fuse3
+      - fuse3-libs
       - git
+      - httpd-tools
+      - jq
+      - lvm2
+      {% if GLOBALS.os == 'CentOS Stream' %}
+      - MariaDB-devel
+      {% else %}
+      - mariadb-devel
+      {% endif %}
+      - net-tools
+      - nmap-ncat
+      - openssl
+      - procps-ng
+      - python3-dnf-plugin-versionlock
       - python3-docker
       - python3-m2crypto
-      - rsync
-      - python3-rich
-      - python3-pyyaml
-      - python3-watchdog
       - python3-packaging
+      - python3-pyyaml
+      - python3-rich
+      - python3-watchdog
+      - rsync
+      - sqlite
+      - tcpdump
       - unzip
+      - wget
+      - yum-utils
 {% endif %}

salt/common/tools/sbin/so-common

@@ -5,7 +5,16 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
-ELASTIC_AGENT_TARBALL_VERSION="8.7.1"
+# Elastic agent is not managed by salt. Because of this we must store this base information in a 
+# script that accompanies the soup system. Since so-common is one of those special soup files, 
+# and since this same logic is required during installation, it's included in this file.
+ELASTIC_AGENT_TARBALL_VERSION="8.8.2"
+ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz"
+ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5"
+ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent
+
 DEFAULT_SALT_DIR=/opt/so/saltstack/default
 DOC_BASE_URL="https://docs.securityonion.net/en/2.4"
 
@@ -161,6 +170,34 @@ disable_fastestmirror() {
 	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
 }
 
+download_and_verify() {
+	source_url=$1
+	source_md5_url=$2
+	dest_file=$3
+	md5_file=$4
+	expand_dir=$5
+
+	if [[ -n "$expand_dir" ]]; then
+		mkdir -p "$expand_dir"
+	fi
+
+	if ! verify_md5_checksum "$dest_file" "$md5_file"; then
+		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" ""
+		retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'"  "" ""
+
+		if verify_md5_checksum "$dest_file" "$md5_file"; then
+		  echo "Source file and checksum are good."
+		else
+		  echo "Unable to download and verify the source file and checksum."
+		  return 1
+		fi
+	fi
+
+	if [[ -n "$expand_dir" ]]; then
+		tar -xf "$dest_file" -C "$expand_dir"
+	fi
+}
+
 elastic_license() {
 
 read -r -d '' message <<- EOM
@@ -199,19 +236,20 @@ get_random_value() {
 }
 
 gpg_rpm_import() {
-	if [[ "$OS" == "rocky" ]]; then
+	if [[ $is_oracle ]]; then
 	    if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
-	        local RPMKEYSLOC="../salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
 	    else
-	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
+	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys"
 	    fi
-	
-	    RPMKEYS=('RPM-GPG-KEY-rockyofficial' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
-
-	    for RPMKEY in "${RPMKEYS[@]}"; do
+		RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY')
+		for RPMKEY in "${RPMKEYS[@]}"; do
     	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
+	elif [[ $is_rpm ]]; then
+		echo "Importing the security onion GPG key"
+		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
 }
 
@@ -224,12 +262,15 @@ init_monitor() {
 	
 	if [[ $MONITORNIC == "bond0" ]]; then 
 	  BIFACES=$(lookup_bond_interfaces)
+	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
+	    ethtool -K "$MONITORNIC" "$i" off;
+  	  done
 	else
 	  BIFACES=$MONITORNIC
 	fi
 
 	for DEVICE_IFACE in $BIFACES; do
-	  for i in rx tx sg tso ufo gso gro lro; do
+	  for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do
 	    ethtool -K "$DEVICE_IFACE" "$i" off;
   	  done
 	  ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
@@ -395,19 +436,22 @@ salt_minion_count() {
 
 }
 
-set_cron_service_name() {
-	if [[ "$OS" == "rocky" ]]; then
-		cron_service_name="crond"
-	else
-		cron_service_name="cron"
-	fi
-}
-
 set_os() {
 	if [ -f /etc/redhat-release ]; then
-		OS=rocky
+		if grep -q "Rocky Linux release 9" /etc/redhat-release; then
+			OS=rocky
+			OSVER=9
+			is_rocky=true
+		elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
+			OS=centos
+			OSVER=9
+			is_centos=true
+		fi
+		cron_service_name="crond"
 	else
 		OS=ubuntu
+		is_ubuntu=true
+		cron_service_name="cron"
 	fi
 }
 
@@ -416,7 +460,7 @@ set_minionid() {
 }
 
 set_palette() {
-	if [ "$OS" == ubuntu ]; then
+	if [[ $is_deb ]]; then
 	    update-alternatives --set newt-palette /etc/newt/palette.original
     fi
 }
@@ -463,6 +507,11 @@ has_uppercase() {
 		|| return 1
 }
 
+update_elastic_agent() {
+	echo "Checking if Elastic Agent update is necessary..."
+	download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR"
+}
+
 valid_cidr() {
 	# Verify there is a backslash in the string
 	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
@@ -616,6 +665,23 @@ valid_username() {
 	echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1
 }
 
+verify_md5_checksum() {
+	data_file=$1
+	md5_file=${2:-${data_file}.md5}
+
+	if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then
+		return 2
+	fi
+
+	SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }')
+	HASH=$(cat "$md5_file")
+
+	if [[ "$HASH" == "$SOURCEHASH" ]]; then
+		return 0
+	fi
+	return 1
+}
+
 wait_for_web_response() {
 	url=$1
 	expected=$2

salt/common/tools/sbin/so-status

@@ -103,7 +103,7 @@ def output(options, console, code, data):
 def check_container_status(options, console):
   code = 0
   cli = "docker"
-  proc = subprocess.run([cli, 'ps', '--format', '{{json .}}'], stdout=subprocess.PIPE, encoding="utf-8")
+  proc = subprocess.run([cli, 'ps', '--format', 'json'], stdout=subprocess.PIPE, encoding="utf-8")
   if proc.returncode != 0:
     fail("Container system error; unable to obtain container process statuses")
 

salt/common/tools/sbin_jinja/so-import-evtx

@@ -27,6 +27,8 @@ Imports one or more evtx files into Security Onion. The evtx files will be analy
 Options:
   --json      Outputs summary in JSON format. Implies --quiet.
   --quiet     Silences progress information to stdout.
+  --shift     Adds a time shift. Accepts a single argument that is intended to be the date of the last record, and shifts the dates of the previous records accordingly.
+              Ex. sudo so-import-evtx --shift "2023-08-01 01:01:01" example.evtx 
 EOF
 }
 
@@ -44,6 +46,10 @@ while [[ $# -gt 0 ]]; do
     --quiet)
       quiet=1
       ;;
+    --shift)
+      SHIFTDATE=$1
+      shift
+      ;;
     -*) 
       echo "Encountered unexpected parameter: $param"
       usage
@@ -68,8 +74,10 @@ function status {
 function evtx2es() {
   EVTX=$1
   HASH=$2
+  SHIFTDATE=$3
   
   docker run --rm \
+    -e "SHIFTTS=$SHIFTDATE" \
     -v "$EVTX:/tmp/data.evtx" \
     -v "/nsm/import/$HASH/evtx/:/tmp/evtx/" \
     -v "/nsm/import/evtx-end_newest:/tmp/newest" \
@@ -113,7 +121,9 @@ echo $END_NEWEST > /nsm/import/evtx-end_newest
 for EVTX in $INPUT_FILES; do
   EVTX=$(/usr/bin/realpath "$EVTX")
   status "Processing Import: ${EVTX}"
-
+  if ! [ -z "$SHIFTDATE" ]; then
+    status "- timeshifting logs to end date of $SHIFTDATE"
+  fi
   # generate a unique hash to assist with dedupe checks
   HASH=$(md5sum "${EVTX}" | awk '{ print $1 }')
   HASH_DIR=/nsm/import/${HASH}
@@ -136,7 +146,7 @@ for EVTX in $INPUT_FILES; do
 
     # import evtx and write them to import ingest pipeline
     status "- importing logs to Elasticsearch..."
-    evtx2es "${EVTX}" $HASH
+    evtx2es "${EVTX}" $HASH "$SHIFTDATE"
     if [[ $? -ne 0 ]]; then
       INVALID_EVTXS_COUNT=$((INVALID_EVTXS_COUNT + 1))
       status "- WARNING: This evtx file may not have fully imported successfully"

salt/common/tools/sbin_jinja/so-raid-status

@@ -9,25 +9,26 @@
 
 . /usr/sbin/so-common
 
-appliance_check() {
-  {%- if salt['grains.get']('sosmodel', '') %}
-  APPLIANCE=1
-  {%- if grains['sosmodel'] in ['SO2AMI01', 'SO2GCI01', 'SO2AZI01'] %}
-  exit 0
-  {%- endif %}
-  DUDEYOUGOTADELL=$(dmidecode |grep Dell)
-  if [[ -n $DUDEYOUGOTADELL ]]; then
-  APPTYPE=dell
-  else
-  APPTYPE=sm
-  fi
-  mkdir -p /opt/so/log/raid
-
-  {%- else %}
-  echo "This is not an appliance"
-  exit 0
-  {%- endif %}
-}
+{%- if salt['grains.get']('sosmodel', '') %}
+{%- set model = salt['grains.get']('sosmodel') %}
+model={{ model }}
+# Don't need cloud images to use this
+if [[ $model =~ ^(SO2AMI01|SO2AZI01|SO2GCI01)$ ]]; then
+    exit 0
+fi
+{%- else %}
+echo "This is not an appliance"
+exit 0
+{%- endif %}
+if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200|SOSSNNV|SOSMN)$ ]]; then
+	is_bossraid=true
+fi
+if [[ $model =~ ^(SOSSNNV|SOSMN)$ ]]; then
+	is_swraid=true
+fi
+if [[ $model =~ ^(SOS10K|SOS500|SOS1000|SOS1000F|SOS4000|SOSSN7200)$ ]]; then
+	is_hwraid=true
+fi
 
 check_nsm_raid() {
   PERCCLI=$(/opt/raidtools/perccli/perccli64 /c0/v0 show|grep RAID|grep Optl)
@@ -49,61 +50,44 @@ check_nsm_raid() {
 check_boss_raid() {
   MVCLI=$(/usr/local/bin/mvcli info -o vd |grep status |grep functional)
 
-  if [[ -n $DUDEYOUGOTADELL ]]; then
-    if [[ -n $MVCLI ]]; then
-      BOSSRAID=0
-    else
-      BOSSRAID=1
-    fi
+  if [[ -n $MVCLI ]]; then
+    BOSSRAID=0
+  else
+    BOSSRAID=1
   fi
 }
 
 check_software_raid() {
-  if [[ -n $DUDEYOUGOTADELL ]]; then
-    SWRC=$(grep "_" /proc/mdstat)
-
-    if [[ -n $SWRC ]]; then
-        # RAID is failed in some way
-        SWRAID=1
-    else
-        SWRAID=0
-    fi
+  SWRC=$(grep "_" /proc/mdstat)
+  if [[ -n $SWRC ]]; then
+      # RAID is failed in some way
+      SWRAID=1
+  else
+      SWRAID=0
   fi
 }
 
-# This script checks raid status if you use SO appliances
+# Set everything to 0
+SWRAID=0
+BOSSRAID=0
+HWRAID=0
 
-# See if this is an appliance
+if [[ $is_hwraid ]]; then
+	check_nsm_raid
+fi
+if [[ $is_bossraid ]]; then
+	check_boss_raid
+fi
+if [[ $is_swraid ]]; then
+	check_software_raid
+fi
 
-appliance_check
-check_nsm_raid
-check_boss_raid
-{%- if salt['grains.get']('sosmodel', '') %}
-{%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
-check_software_raid
-{%- endif %}
-{%- endif %}
+sum=$(($SWRAID + $BOSSRAID + $HWRAID))
 
-if [[ -n $SWRAID ]]; then
-  if [[ $SWRAID == '0' && $BOSSRAID == '0' ]]; then
-    RAIDSTATUS=0
-  else
-    RAIDSTATUS=1
-  fi
-elif [[ -n $DUDEYOUGOTADELL ]]; then
-  if [[ $BOSSRAID == '0' && $HWRAID == '0' ]]; then
-    RAIDSTATUS=0
-  else
-    RAIDSTATUS=1
-  fi
-elif [[ "$APPTYPE" == 'sm' ]]; then
-  if [[ -n "$HWRAID" ]]; then
-    RAIDSTATUS=0
-  else
-    RAIDSTATUS=1
-  fi
+if [[ $sum == "0" ]]; then
+  RAIDSTATUS=0
+else
+  RAIDSTATUS=1
 fi
 
 echo "nsmraid=$RAIDSTATUS" > /opt/so/log/raid/status.log
-
-

salt/desktop/files/session.jinja

@@ -0,0 +1,7 @@
+# This file is managed by Salt in the desktop.xwindows state
+# It will not be overwritten if it already exists
+
+[User]
+Session=gnome-classic
+Icon=/home/{{USERNAME}}/.face
+SystemAccount=false

salt/desktop/packages.sls

@@ -1,170 +1,281 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 
 
 desktop_packages:
   pkg.installed:
     - pkgs:
+      - ModemManager
+      - ModemManager-glib
       - NetworkManager
       - NetworkManager-adsl
       - NetworkManager-bluetooth
-      - NetworkManager-l2tp-gnome
-      - NetworkManager-libreswan-gnome
-      - NetworkManager-openconnect-gnome
-      - NetworkManager-openvpn-gnome
-      - NetworkManager-ppp
-      - NetworkManager-pptp-gnome
+      - NetworkManager-config-server
+      - NetworkManager-libnm
       - NetworkManager-team
       - NetworkManager-tui
       - NetworkManager-wifi
       - NetworkManager-wwan
+      - PackageKit
+      - PackageKit-command-not-found
+      - PackageKit-glib
       - PackageKit-gstreamer-plugin
-      - aajohan-comfortaa-fonts
-      - abattis-cantarell-fonts
-      - acl
-      - alsa-ucm
-      - alsa-utils
-      - anaconda
-      - anaconda-install-env-deps
-      - anaconda-live
-      - at
-      - attr
+      - PackageKit-gtk3-module
       - audit
+      - audit-libs
       - authselect
+      - authselect-libs
+      - avahi
+      - avahi-glib
+      - avahi-libs
+      - baobab
       - basesystem
-      - bash
-      - bash-completion
       - bc
-      - blktrace
+      - bcache-tools
       - bluez
+      - bluez-libs
+      - bluez-obexd
       - bolt
-      - bpftool
       - bzip2
+      - bzip2-libs
+      - c-ares
+      - ca-certificates
+      - cairo
+      - cairo-gobject
+      - cairomm
+      - checkpolicy
       - chkconfig
+      - chrome-gnome-shell
       - chromium
-      - chrony
-      - cinnamon
-      - cinnamon-control-center
-      - cinnamon-screensaver
-      - cockpit
-      - coreutils
-      - cpio
-      - cronie
-      - crontabs
-      - crypto-policies
-      - crypto-policies-scripts
-      - cryptsetup
-      - curl
-      - cyrus-sasl-plain
-      - dbus
+      - clutter
+      - clutter-gst3
+      - clutter-gtk
+      - cogl
+      - color-filesystem
+      - colord
+      - colord-gtk
+      - colord-libs
+      - conmon
+      - cups
+      - cups-client
+      - cups-filesystem
+      - cups-filters
+      - cups-filters-libs
+      - cups-ipptool
+      - cups-libs
+      - cups-pk-helper
+      - dconf
       - dejavu-sans-fonts
       - dejavu-sans-mono-fonts
       - dejavu-serif-fonts
-      - dnf
-      - dnf-plugins-core
-      - dos2unix
-      - dosfstools
-      - dracut-config-rescue
-      - dracut-live
+      - desktop-file-utils
       - dsniff
-      - e2fsprogs
-      - ed
-      - efi-filesystem
-      - efibootmgr
-      - efivar-libs
-      - eom
       - ethtool
-      - f36-backgrounds-extras-gnome
-      - f36-backgrounds-gnome
-      - f37-backgrounds-extras-gnome
-      - f37-backgrounds-gnome
+      - evolution-data-server
+      - evolution-data-server-langpacks
       - file
-      - filesystem
-      - firewall-config
-      - firewalld
-      - fprintd-pam
-      - git
-      - glibc
-      - glibc-all-langpacks
+      - flac-libs
+      - flashrom
+      - flatpak
+      - flatpak-libs
+      - flatpak-selinux
+      - flatpak-session-helper
+      - fontconfig
+      - fonts-filesystem
+      - foomatic
+      - foomatic-db
+      - foomatic-db-filesystem
+      - foomatic-db-ppds
+      - freetype
+      - fuse
+      - fuse-common
+      - fuse-libs
+      - fuse-overlayfs
+      - fuse3
+      - fuse3-libs
+      - fwupd
+      - fwupd-plugin-flashrom
+      - gcr
+      - gcr-base
+      - gd
+      - gdbm-libs
+      - gdisk
+      - gdk-pixbuf2
+      - gdk-pixbuf2-modules
+      - gdm
+      - gedit
+      - geoclue2
+      - geoclue2-libs
+      - geocode-glib
+      - gettext
+      - gettext-libs
+      - ghostscript
+      - ghostscript-tools-fonts
+      - ghostscript-tools-printing
+      - giflib
+      - glx-utils
+      - gmp
+      - gnome-autoar
+      - gnome-bluetooth
+      - gnome-bluetooth-libs
       - gnome-calculator
+      - gnome-characters
+      - gnome-classic-session
+      - gnome-color-manager
+      - gnome-control-center
+      - gnome-control-center-filesystem
+      - gnome-desktop3
       - gnome-disk-utility
+      - gnome-font-viewer
+      - gnome-initial-setup
+      - gnome-keyring
+      - gnome-keyring-pam
+      - gnome-logs
+      - gnome-menus
+      - gnome-online-accounts
+      - gnome-remote-desktop
       - gnome-screenshot
+      - gnome-session
+      - gnome-session-wayland-session
+      - gnome-session-xsession
+      - gnome-settings-daemon
+      - gnome-shell
+      - gnome-shell-extension-apps-menu
+      - gnome-shell-extension-background-logo
+      - gnome-shell-extension-common
+      - gnome-shell-extension-desktop-icons
+      - gnome-shell-extension-launch-new-instance
+      - gnome-shell-extension-places-menu
+      - gnome-shell-extension-window-list
+      - gnome-software
       - gnome-system-monitor
       - gnome-terminal
-      - gnupg2
+      - gnome-terminal-nautilus
+      - gnome-tour
+      - gnome-user-docs
+      - gnome-video-effects
+      - gobject-introspection
+      - gom
+      - google-droid-sans-fonts
+      - google-noto-cjk-fonts-common
       - google-noto-emoji-color-fonts
+      - google-noto-fonts-common
       - google-noto-sans-cjk-ttc-fonts
       - google-noto-sans-gurmukhi-fonts
       - google-noto-sans-sinhala-vf-fonts
       - google-noto-serif-cjk-ttc-fonts
-      - grub2-common
-      - grub2-pc-modules
-      - grub2-tools
-      - grub2-tools-efi
-      - grub2-tools-extra
-      - grub2-tools-minimal
-      - grubby
+      - gpgme
+      - gpm-libs
+      - graphene
+      - graphite2
+      - gsettings-desktop-schemas
+      - gsm
+      - gsound
+      - gspell
+      - gstreamer1
       - gstreamer1-plugins-bad-free
+      - gstreamer1-plugins-base
       - gstreamer1-plugins-good
+      - gstreamer1-plugins-good-gtk
       - gstreamer1-plugins-ugly-free
+      - gtk-update-icon-cache
+      - gtk2
+      - gtk3
+      - gtk4
+      - gtkmm30
+      - gtksourceview4
+      - gutenprint
+      - gutenprint-cups
+      - gutenprint-doc
+      - gutenprint-libs
+      - gvfs
+      - gvfs-client
+      - gvfs-fuse
+      - gvfs-goa
       - gvfs-gphoto2
       - gvfs-mtp
       - gvfs-smb
-      - hostname
-      - hyperv-daemons
-      - ibus-anthy
-      - ibus-hangul
-      - ibus-libpinyin
-      - ibus-libzhuyin
-      - ibus-m17n
-      - ibus-typing-booster
-      - imsettings-systemd
-      - initial-setup-gui
-      - initscripts
+      - gzip
+      - harfbuzz
+      - harfbuzz-icu
+      - hdparm
+      - hicolor-icon-theme
+      - highcontrast-icon-theme
+      - hplip-common
+      - hplip-libs
+      - hunspell
+      - hunspell-en
+      - hunspell-en-GB
+      - hunspell-en-US
+      - hunspell-filesystem
+      - hyphen
+      - ibus
+      - ibus-gtk3
+      - ibus-libs
+      - ibus-setup
+      - iio-sensor-proxy
+      - ima-evm-utils
+      - inih
       - initscripts-rename-device
-      - iproute
-      - iproute-tc
-      - iprutils
-      - iputils
-      - irqbalance
-      - iwl100-firmware
-      - iwl1000-firmware
-      - iwl105-firmware
-      - iwl135-firmware
-      - iwl2000-firmware
-      - iwl2030-firmware
-      - iwl3160-firmware
-      - iwl5000-firmware
-      - iwl5150-firmware
-      - iwl6000g2a-firmware
-      - iwl6000g2b-firmware
-      - iwl6050-firmware
-      - iwl7260-firmware
+      - initscripts-service
+      - iso-codes
+      - jansson
+      - jbig2dec-libs
+      - jbigkit-libs
       - jomolhari-fonts
+      - jose
+      - jq
+      - json-c
+      - json-glib
       - julietaula-montserrat-fonts
       - kbd
-      - kernel
-      - kernel-modules
-      - kernel-modules-extra
-      - kernel-tools
-      - kexec-tools
+      - kbd-misc
       - khmer-os-system-fonts
-      - kmod-kvdo
-      - kpatch
-      - kpatch-dnf
-      - ledmon
-      - less
+      - langpacks-core-en
+      - langpacks-core-font-en
+      - langpacks-en
+      - lcms2
+      - libICE
+      - libSM
+      - libX11
+      - libX11-common
+      - libX11-xcb
+      - libXau
+      - libXcomposite
+      - libXcursor
+      - libXdamage
+      - libXdmcp
+      - libXext
+      - libXfixes
+      - libXfont2
+      - libXft
+      - libXi
+      - libXinerama
+      - libXmu
+      - libXpm
+      - libXrandr
+      - libXrender
+      - libXres
+      - libXt
+      - libXtst
+      - libXv
+      - libXxf86dga
+      - libXxf86vm
+      - libappstream-glib
+      - liberation-fonts-common
       - liberation-mono-fonts
       - liberation-sans-fonts
       - liberation-serif-fonts
       - libertas-sd8787-firmware
-      - libstoragemgmt
-      - libsysfs
-      - lightdm
-      - linux-firmware
-      - logrotate
+      - libglvnd-gles
+      - libglvnd-glx
+      - libglvnd-opengl
+      - libgnomekbd
+      - libgomp
+      - libgphoto2
+      - lockdev
       - lohit-assamese-fonts
       - lohit-bengali-fonts
       - lohit-devanagari-fonts
@@ -175,136 +286,160 @@ desktop_packages:
       - lohit-telugu-fonts
       - lshw
       - lsof
-      - lsscsi
-      - lvm2
-      - mailcap
-      - man-db
-      - man-pages
-      - mcelog
-      - mdadm
-      - memtest86+
-      - metacity
+      - mesa-dri-drivers
+      - mesa-filesystem
+      - mesa-libEGL
+      - mesa-libGL
+      - mesa-libgbm
+      - mesa-libglapi
+      - mesa-libxatracker
+      - mesa-vulkan-drivers
       - microcode_ctl
-      - mlocate
+      - mobile-broadband-provider-info
+      - mono-devel
+      - mpfr
+      - mpg123-libs
+      - mtdev
       - mtr
-      - nano
-      - ncurses
-      - nemo-fileroller
-      - nemo-image-converter
-      - nemo-preview
+      - nautilus
+      - nautilus-extensions
       - net-tools
-      - netronome-firmware
-      - ngrep
-      - nm-connection-editor
-      - nmap-ncat
       - nvme-cli
       - open-vm-tools-desktop
-      - openssh-clients
-      - openssh-server
-      - p11-kit
-      - paktype-naskh-basic-fonts
-      - parole
-      - parted
-      - passwd
+      - oracle-backgrounds
+      - oracle-indexhtml
+      - oracle-logos
+      - pcaudiolib
       - pciutils
+      - pinentry
+      - pinentry-gnome3
       - pinfo
       - pipewire
       - pipewire-alsa
       - pipewire-gstreamer
       - pipewire-jack-audio-connection-kit
+      - pipewire-libs
       - pipewire-pulseaudio
       - pipewire-utils
+      - pixman
       - plymouth
+      - plymouth-core-libs
+      - plymouth-graphics-libs
+      - plymouth-plugin-label
+      - plymouth-plugin-two-step
+      - plymouth-scripts
+      - plymouth-system-theme
+      - plymouth-theme-spinner
       - policycoreutils
-      - powerline
-      - ppp
-      - prefixdevname
-      - procps-ng
-      - psacct
+      - policycoreutils-python-utils
       - pt-sans-fonts
-      - python3-libselinux
-      - python3-scapy
-      - qemu-guest-agent
-      - quota
-      - realmd
-      - redshift-gtk
-      - rocky-backgrounds
-      - rocky-release
-      - rootfiles
-      - rpm
-      - rpm-plugin-audit
-      - rsync
-      - rsyslog
-      - rsyslog-gnutls
-      - rsyslog-gssapi
-      - rsyslog-relp
-      - salt-minion
+      - pulseaudio-libs
+      - pulseaudio-libs-glib2
+      - pulseaudio-utils
+      - sane-airscan
+      - sane-backends
+      - sane-backends-drivers-cameras
       - sane-backends-drivers-scanners
-      - selinux-policy-targeted
-      - setroubleshoot
-      - setup
-      - sg3_utils
-      - sg3_utils-libs
-      - shadow-utils
+      - sane-backends-libs
       - sil-abyssinica-fonts
       - sil-nuosu-fonts
       - sil-padauk-fonts
-      - slick-greeter
-      - slick-greeter-cinnamon
       - smartmontools
       - smc-meera-fonts
-      - sos
+      - snappy
+      - sound-theme-freedesktop
+      - soundtouch
+      - securityonion-networkminer
+      - speech-dispatcher
+      - speech-dispatcher-espeak-ng
+      - speex
       - spice-vdagent
-      - ssldump
-      - sssd
-      - sssd-common
-      - sssd-kcm
-      - stix-fonts
-      - strace
-      - sudo
+      - switcheroo-control
       - symlinks
-      - syslinux
-      - systemd
-      - systemd-udev
-      - tar
+      - system-config-printer-libs
+      - system-config-printer-udev
+      - taglib
       - tcpdump
       - tcpflow
-      - teamd
+      - thai-scalable-fonts-common
       - thai-scalable-waree-fonts
-      - time
-      - tmux
-      - tmux-powerline
-      - transmission
+      - totem
+      - totem-pl-parser
+      - totem-video-thumbnailer
+      - tpm2-tools
+      - tpm2-tss
+      - tracer-common
+      - tracker
+      - tracker-miners
       - tree
       - tuned
+      - twolame-libs
+      - tzdata
+      - udisks2
+      - udisks2-iscsi
+      - udisks2-lvm2
       - unzip
+      - upower
+      - urw-base35-bookman-fonts
+      - urw-base35-c059-fonts
+      - urw-base35-d050000l-fonts
+      - urw-base35-fonts
+      - urw-base35-fonts-common
+      - urw-base35-gothic-fonts
+      - urw-base35-nimbus-mono-ps-fonts
+      - urw-base35-nimbus-roman-fonts
+      - urw-base35-nimbus-sans-fonts
+      - urw-base35-p052-fonts
+      - urw-base35-standard-symbols-ps-fonts
+      - urw-base35-z003-fonts
       - usb_modeswitch
+      - usb_modeswitch-data
       - usbutils
-      - util-linux
-      - util-linux-user
+      - usermode
+      - userspace-rcu
       - vdo
-      - vim-enhanced
-      - vim-minimal
-      - vim-powerline
-      - virt-what
-      - wget
+      - vulkan-loader
+      - wavpack
+      - webkit2gtk3
+      - webkit2gtk3-jsc
+      - webrtc-audio-processing
       - whois
-      - which
+      - wireless-regdb
       - wireplumber
+      - wireplumber-libs
       - wireshark
+      - woff2
       - words
+      - wpa_supplicant
+      - wpebackend-fdo
+      - xdg-dbus-proxy
+      - xdg-desktop-portal
+      - xdg-desktop-portal-gnome
+      - xdg-desktop-portal-gtk
+      - xdg-user-dirs
       - xdg-user-dirs-gtk
-      - xed
-      - xfsdump
-      - xfsprogs
-      - xreader
-      - yum
+      - xdg-utils
+      - xkeyboard-config
+      - xorg-x11-drv-evdev
+      - xorg-x11-drv-fbdev
+      - xorg-x11-drv-libinput
+      - xorg-x11-drv-vmware
+      - xorg-x11-drv-wacom
+      - xorg-x11-drv-wacom-serial-support
+      - xorg-x11-server-Xorg
+      - xorg-x11-server-Xwayland
+      - xorg-x11-server-common
+      - xorg-x11-server-utils
+      - xorg-x11-utils
+      - xorg-x11-xauth
+      - xorg-x11-xinit
+      - xorg-x11-xinit-session
       - zip
 
 {% else %}
 
 desktop_packages_os_fail:
   test.fail_without_changes:
-    - comment: 'SO desktop can only be installed on Rocky'
+    - comment: 'SO desktop can only be installed on Oracle Linux'
 
 {% endif %}

salt/desktop/remove_gui.sls

@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 
 remove_graphical_target:
   file.symlink:
@@ -12,6 +12,6 @@ remove_graphical_target:
 {% else %}
 desktop_trusted-ca_os_fail:
   test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on Rocky'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 
 {% endif %}

salt/desktop/scripts/convert-gnome-classic.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+echo "Setting default session to gnome-classic"
+cp /usr/share/accountsservice/user-templates/standard /etc/accountsservice/user-templates/
+sed -i 's|Session=gnome|Session=gnome-classic|g' /etc/accountsservice/user-templates/standard

salt/desktop/trusted-ca.sls

@@ -1,7 +1,7 @@
  {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 
   {% set global_ca_text = [] %}
   {% set global_ca_server = [] %}

salt/desktop/xwindows.sls

@@ -1,7 +1,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
 {# we only want this state to run it is CentOS #}
-{% if GLOBALS.os == 'Rocky' %}
+{% if GLOBALS.os == 'OEL' %}
 
 include:
   - desktop.packages
@@ -14,10 +14,31 @@ graphical_target:
     - require:
       - desktop_packages
 
+convert_gnome_classic:
+  cmd.script:
+    - name: salt://desktop/scripts/convert-gnome-classic.sh
+
+{%   for username in salt['file.find'](path='/home/',mindepth=1,maxdepth=1,type='d') %}
+{%     set username = username.split('/')[2] %}
+{%     if username != 'zeek' %}
+{%       if not salt['file.file_exists']('/var/lib/AccountsService/users/' ~ username) %}
+
+{{username}}_session:
+  file.managed:
+    - name: /var/lib/AccountsService/users/{{username}}
+    - source: salt://desktop/files/session.jinja
+    - template: jinja
+    - defaults:
+        USERNAME: {{username}}
+
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+
 {% else %}
 
 desktop_xwindows_os_fail:
   test.fail_without_changes:
-    - comment: 'SO Desktop can only be installed on Rocky'
+    - comment: 'SO Desktop can only be installed on Oracle Linux'
 
 {% endif %}

salt/docker/defaults.yaml

@@ -1,8 +1,6 @@
 docker:
-  bip: '172.17.0.1'
-  range: '172.17.0.0/24'
-  sorange: '172.17.1.0/24'
-  sobip: '172.17.1.1'
+  range: '172.17.1.0/24'
+  gateway: '172.17.1.1'
   containers:
     'so-dockerregistry':
       final_octet: 20

salt/docker/docker.map.jinja

@@ -1,6 +1,6 @@
 {% import_yaml 'docker/defaults.yaml' as DOCKERDEFAULTS %}
 {% set DOCKER = salt['pillar.get']('docker', DOCKERDEFAULTS.docker, merge=True) %}
-{% set RANGESPLIT = DOCKER.sorange.split('.') %}
+{% set RANGESPLIT = DOCKER.range.split('.') %}
 {% set FIRSTTHREE = RANGESPLIT[0] ~ '.' ~ RANGESPLIT[1] ~ '.' ~ RANGESPLIT[2] ~ '.' %}
 
 {% for container, vals in DOCKER.containers.items() %}

salt/docker/init.sls

@@ -12,7 +12,28 @@ dockergroup:
     - name: docker
     - gid: 920
 
-{% if GLOBALS.os == 'Ubuntu' %}
+{% if GLOBALS.os_family == 'Debian' %}
+{%    if grains.oscodename == 'bookworm' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.6.21-1
+      - docker-ce: 5:24.0.3-1~debian.12~bookworm
+      - docker-ce-cli: 5:24.0.3-1~debian.12~bookworm
+      - docker-ce-rootless-extras: 5:24.0.3-1~debian.12~bookworm
+    - hold: True
+    - update_holds: True
+{%    elif grains.oscodename == 'jammy' %}
+dockerheldpackages:
+  pkg.installed:
+    - pkgs:
+      - containerd.io: 1.6.21-1
+      - docker-ce: 5:24.0.2-1~ubuntu.22.04~jammy
+      - docker-ce-cli: 5:24.0.2-1~ubuntu.22.04~jammy
+      - docker-ce-rootless-extras: 5:24.0.2-1~ubuntu.22.04~jammy
+    - hold: True
+    - update_holds: True
+{%    else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
@@ -22,14 +43,15 @@ dockerheldpackages:
       - docker-ce-rootless-extras: 5:20.10.5~3-0~ubuntu-focal
     - hold: True
     - update_holds: True
+{% endif %}
 {% else %}
 dockerheldpackages:
   pkg.installed:
     - pkgs:
       - containerd.io: 1.6.21-3.1.el9
-      - docker-ce: 24.0.2-1.el9
-      - docker-ce-cli: 24.0.2-1.el9
-      - docker-ce-rootless-extras: 24.0.2-1.el9
+      - docker-ce: 24.0.4-1.el9
+      - docker-ce-cli: 24.0.4-1.el9
+      - docker-ce-rootless-extras: 24.0.4-1.el9
     - hold: True
     - update_holds: True
 {% endif %}
@@ -80,8 +102,8 @@ dockerreserveports:
 sos_docker_net:
   docker_network.present:
     - name: sobridge
-    - subnet: {{ DOCKER.sorange }}
-    - gateway: {{ DOCKER.sobip }}
+    - subnet: {{ DOCKER.range }}
+    - gateway: {{ DOCKER.gateway }}
     - options:
         com.docker.network.bridge.name: 'sobridge'
         com.docker.network.driver.mtu: '1500'

salt/docker/soc_docker.yaml

@@ -1,20 +1,12 @@
 docker:
-  bip:
-    description: Bind IP for the default docker interface.
+  gateway:
+    description: Gateway for the default docker interface.
     helpLink: docker.html
     advanced: True
   range:
     description: Default docker IP range for containers.
     helpLink: docker.html
     advanced: True
-  sobip:
-    description: Bind IP for the SO docker interface.
-    helpLink: docker.html
-    advanced: True
-  sorange:
-    description: IP range for the SO docker containers.
-    helpLink: docker.html
-    advanced: True
   containers:
     so-curator: &dockerOptions
       final_octet:

salt/elasticagent/config.sls

@@ -28,6 +28,22 @@ elasticagentconfdir:
     - group: 939
     - makedirs: True
 
+elasticagentlogdir:
+   file.directory:
+     - name: /opt/so/log/elasticagent
+     - user: 949
+     - group: 939
+     - makedirs: True
+
+elasticagent_sbin_jinja:
+  file.recurse:
+    - name: /usr/sbin
+    - source: salt://elasticagent/tools/sbin_jinja
+    - user: 949
+    - group: 939
+    - file_mode: 755
+    - template: jinja
+
 # Create config
 create-elastic-agent-config:
   file.managed:
@@ -37,7 +53,6 @@ create-elastic-agent-config:
     - group: 939
     - template: jinja
 
-
 {% else %}
 
 {{sls}}_state_not_allowed:

salt/elasticagent/enabled.sls

@@ -33,19 +33,27 @@ so-elastic-agent:
         {% endif %}
     - binds:
       - /opt/so/conf/elastic-agent/elastic-agent.yml:/usr/share/elastic-agent/elastic-agent.yml:ro
+      - /opt/so/log/elasticagent:/usr/share/elastic-agent/logs
+      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro 
       - /nsm:/nsm:ro
+      - /opt/so/log:/opt/so/log:ro
      {% if DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-elastic-agent'].custom_bind_mounts %}
       - {{ BIND }}
         {% endfor %}
       {% endif %}
-      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
     - environment:
+      - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - LOGS_PATH=logs
+      {% if DOCKER.containers['so-elastic-agent'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elastic-agent'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-
+    - require:
+      - file: create-elastic-agent-config
+    - watch:
+      - file: create-elastic-agent-config
 
 delete_so-elastic-agent_so-status.disabled:
   file.uncomment:

salt/elasticagent/files/elastic-agent.yml.jinja

@@ -3,7 +3,7 @@
 {%- set ES_PASS = salt['pillar.get']('elasticsearch:auth:users:so_elastic_user:pass', '') %}
 
 id: aea1ba80-1065-11ee-a369-97538913b6a9
-revision: 2
+revision: 1
 outputs:
   default:
     type: elasticsearch
@@ -11,7 +11,7 @@ outputs:
       - 'https://{{ GLOBALS.hostname }}:9200'
     username: '{{ ES_USER }}'
     password: '{{ ES_PASS }}'
-    ssl.verification_mode: none
+    ssl.verification_mode: full
 output_permissions: {}
 agent:
   download:
@@ -22,9 +22,9 @@ agent:
     metrics: false
   features: {}
 inputs:
-  - id: logfile-logs-80ffa884-2cfc-459a-964a-34df25714d85
-    name: suricata-logs
-    revision: 1
+  - id: logfile-logs-fefef78c-422f-4cfa-8abf-4cd1b9428f62
+    name: import-evtx-logs
+    revision: 2
     type: logfile
     use_output: default
     meta:
@@ -33,23 +33,336 @@ inputs:
         version:
     data_stream:
       namespace: so
-    package_policy_id: 80ffa884-2cfc-459a-964a-34df25714d85
+    package_policy_id: fefef78c-422f-4cfa-8abf-4cd1b9428f62
     streams:
-      - id: logfile-log.log-80ffa884-2cfc-459a-964a-34df25714d85
+      - id: logfile-log.log-fefef78c-422f-4cfa-8abf-4cd1b9428f62
+        data_stream:
+          dataset: import
+        paths:
+          - /nsm/import/*/evtx/*.json
+        processors:
+          - dissect:
+              field: log.file.path
+              tokenizer: '/nsm/import/%{import.id}/evtx/%{import.file}'
+              target_prefix: ''
+          - decode_json_fields:
+              fields:
+                - message
+              target: ''
+          - drop_fields:
+              ignore_missing: true
+              fields:
+                - host
+          - add_fields:
+              fields:
+                dataset: system.security
+                type: logs
+                namespace: default
+              target: data_stream
+          - add_fields:
+              fields:
+                dataset: system.security
+                module: system
+                imported: true
+              target: event
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: windows.sysmon_operational
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: windows.sysmon_operational
+                    module: windows
+                    imported: true
+                  target: event
+            if:
+              equals:
+                winlog.channel: Microsoft-Windows-Sysmon/Operational
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: system.application
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: system.application
+                  target: event
+            if:
+              equals:
+                winlog.channel: Application
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: system.system
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: system.system
+                  target: event
+            if:
+              equals:
+                winlog.channel: System
+          - then:
+              - add_fields:
+                  fields:
+                    dataset: windows.powershell_operational
+                  target: data_stream
+              - add_fields:
+                  fields:
+                    dataset: windows.powershell_operational
+                    module: windows
+                  target: event
+            if:
+              equals:
+                winlog.channel: Microsoft-Windows-PowerShell/Operational
+        tags:
+          - import
+  - id: logfile-redis-fc98c947-7d17-4861-a318-7ad075f6d1b0
+    name: redis-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: redis
+        version:
+    data_stream:
+      namespace: default
+    package_policy_id: fc98c947-7d17-4861-a318-7ad075f6d1b0
+    streams:
+      - id: logfile-redis.log-fc98c947-7d17-4861-a318-7ad075f6d1b0
+        data_stream:
+          dataset: redis.log
+          type: logs
+        exclude_files:
+          - .gz$
+        paths:
+          - /opt/so/log/redis/redis.log
+        tags:
+          - redis-log
+        exclude_lines:
+          - '^\s+[\-`(''.|_]'
+  - id: logfile-logs-3b56803d-5ade-4c93-b25e-9b37182f66b8
+    name: import-suricata-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: 3b56803d-5ade-4c93-b25e-9b37182f66b8
+    streams:
+      - id: logfile-log.log-3b56803d-5ade-4c93-b25e-9b37182f66b8
+        data_stream:
+          dataset: import
+        pipeline: suricata.common
+        paths:
+          - /nsm/import/*/suricata/eve*.json
+        processors:
+          - add_fields:
+              fields:
+                module: suricata
+                imported: true
+                category: network
+              target: event
+          - dissect:
+              field: log.file.path
+              tokenizer: '/nsm/import/%{import.id}/suricata/%{import.file}'
+              target_prefix: ''
+  - id: logfile-logs-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
+    name: soc-server-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: c327e1a3-1ebe-449c-a8eb-f6f35032e69d
+    streams:
+      - id: logfile-log.log-c327e1a3-1ebe-449c-a8eb-f6f35032e69d
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/soc/sensoroni-server.log
+        processors:
+          - decode_json_fields:
+              add_error_key: true
+              process_array: true
+              max_depth: 2
+              fields:
+                - message
+              target: soc
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: server
+                category: host
+              target: event
+          - rename:
+              ignore_missing: true
+              fields:
+                - from: soc.fields.sourceIp
+                  to: source.ip
+                - from: soc.fields.status
+                  to: http.response.status_code
+                - from: soc.fields.method
+                  to: http.request.method
+                - from: soc.fields.path
+                  to: url.path
+                - from: soc.message
+                  to: event.action
+                - from: soc.level
+                  to: log.level
+        tags:
+          - so-soc
+  - id: logfile-logs-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
+    name: soc-sensoroni-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: 906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
+    streams:
+      - id: logfile-log.log-906e0d4c-9ec3-4c6a-bef6-e347ec9fd073
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/sensoroni/sensoroni.log
+        processors:
+          - decode_json_fields:
+              add_error_key: true
+              process_array: true
+              max_depth: 2
+              fields:
+                - message
+              target: sensoroni
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: sensoroni
+                category: host
+              target: event
+          - rename:
+              ignore_missing: true
+              fields:
+                - from: sensoroni.fields.sourceIp
+                  to: source.ip
+                - from: sensoroni.fields.status
+                  to: http.response.status_code
+                - from: sensoroni.fields.method
+                  to: http.request.method
+                - from: sensoroni.fields.path
+                  to: url.path
+                - from: sensoroni.message
+                  to: event.action
+                - from: sensoroni.level
+                  to: log.level
+  - id: logfile-logs-df0d7f2c-221f-433b-b18b-d1cf83250515
+    name: soc-salt-relay-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: df0d7f2c-221f-433b-b18b-d1cf83250515
+    streams:
+      - id: logfile-log.log-df0d7f2c-221f-433b-b18b-d1cf83250515
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/soc/salt-relay.log
+        processors:
+          - dissect:
+              field: message
+              tokenizer: '%{soc.ts} | %{event.action}'
+              target_prefix: ''
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: salt_relay
+                category: host
+              target: event
+        tags:
+          - so-soc
+  - id: logfile-logs-74bd2366-fe52-493c-bddc-843a017fc4d0
+    name: soc-auth-sync-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: 74bd2366-fe52-493c-bddc-843a017fc4d0
+    streams:
+      - id: logfile-log.log-74bd2366-fe52-493c-bddc-843a017fc4d0
+        data_stream:
+          dataset: soc
+        pipeline: common
+        paths:
+          - /opt/so/log/soc/sync.log
+        processors:
+          - dissect:
+              field: message
+              tokenizer: '%{event.action}'
+              target_prefix: ''
+          - add_fields:
+              fields:
+                module: soc
+                dataset_temp: auth_sync
+                category: host
+              target: event
+        tags:
+          - so-soc
+  - id: logfile-logs-d151d9bf-ff2a-4529-9520-c99244bc0253
+    name: suricata-logs
+    revision: 2
+    type: logfile
+    use_output: default
+    meta:
+      package:
+        name: log
+        version:
+    data_stream:
+      namespace: so
+    package_policy_id: d151d9bf-ff2a-4529-9520-c99244bc0253
+    streams:
+      - id: logfile-log.log-d151d9bf-ff2a-4529-9520-c99244bc0253
         data_stream:
           dataset: suricata
+        pipeline: suricata.common
         paths:
           - /nsm/suricata/eve*.json
         processors:
           - add_fields:
-              target: event
               fields:
-                category: network
                 module: suricata
-        pipeline: suricata.common
-  - id: logfile-logs-90103ac4-f6bd-4a4a-b596-952c332390fc
+                category: network
+              target: event
+  - id: logfile-logs-31f94d05-ae75-40ee-b9c5-0e0356eff327
     name: strelka-logs
-    revision: 1
+    revision: 2
     type: logfile
     use_output: default
     meta:
@@ -58,20 +371,20 @@ inputs:
         version:
     data_stream:
       namespace: so
-    package_policy_id: 90103ac4-f6bd-4a4a-b596-952c332390fc
+    package_policy_id: 31f94d05-ae75-40ee-b9c5-0e0356eff327
     streams:
-      - id: logfile-log.log-90103ac4-f6bd-4a4a-b596-952c332390fc
+      - id: logfile-log.log-31f94d05-ae75-40ee-b9c5-0e0356eff327
         data_stream:
           dataset: strelka
+        pipeline: strelka.file
         paths:
           - /nsm/strelka/log/strelka.log
         processors:
           - add_fields:
-              target: event
               fields:
-                category: file
                 module: strelka
-        pipeline: strelka.file
+                category: file
+              target: event
   - id: logfile-logs-6197fe84-9b58-4d9b-8464-3d517f28808d
     name: zeek-logs
     revision: 1

salt/elasticagent/tools/sbin_jinja/so-elastic-agent-inspect

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
+{% else %}
+/bin/elastic-agent inspect
+{% endif %}

salt/elasticagent/tools/sbin_jinja/so-elastic-agent-restart

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+/usr/sbin/so-stop elastic-agent $1
+/usr/sbin/so-start elasticagent $1
+{% else %}
+service elastic-agent restart
+{% endif %}

salt/elasticagent/tools/sbin_jinja/so-elastic-agent-start

@@ -5,6 +5,13 @@
 # https://securityonion.net/license; you may not use this file except in compliance with the
 # Elastic License 2.0.
 
+
+
 . /usr/sbin/so-common
 
-/usr/sbin/so-restart elastic-agent $1
+{% if grains.role == 'so-heavynode' %}
+/usr/sbin/so-start elasticagent $1
+{% else %}
+service elastic-agent start
+{% endif %}
+

salt/elasticagent/tools/sbin_jinja/so-elastic-agent-status

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
+{% else %}
+/bin/elastic-agent status
+{% endif %}
+

salt/elasticagent/tools/sbin_jinja/so-elastic-agent-stop

@@ -9,4 +9,9 @@
 
 . /usr/sbin/so-common
 
+{% if grains.role == 'so-heavynode' %}
 /usr/sbin/so-stop elastic-agent $1
+{% else %}
+service elastic-agent stop
+{% endif %}
+

salt/elasticagent/tools/sbin_jinja/so-elastic-agent-version

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
+{% else %}
+/bin/elastic-agent version
+{% endif %}
+

salt/elasticfleet/config.sls

@@ -45,6 +45,13 @@ eaconfdir:
     - group: 939
     - makedirs: True
 
+ealogdir:
+  file.directory:
+    - name: /opt/so/log/elasticfleet
+    - user: 947
+    - group: 939
+    - makedirs: True
+
 eastatedir:
   file.directory:
     - name: /opt/so/conf/elastic-fleet/state

salt/elasticfleet/defaults.yaml

@@ -2,7 +2,7 @@ elasticfleet:
   enabled: False
   config:
     server:
-      custom_fqdn: ''
+      custom_fqdn: []
       enable_auto_configuration: True
       endpoints_enrollment: ''
       es_token: ''
@@ -28,7 +28,9 @@ elasticfleet:
     - aws
     - azure
     - cloudflare
+    - endpoint
     - fim
     - github
     - google_workspace
+    - log
     - 1password

salt/elasticfleet/enabled.sls

@@ -15,15 +15,27 @@
 include:
   - elasticfleet.config
   - elasticfleet.sostatus
+  - ssl
 
-{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval'] %}
+# If enabled, automatically update Fleet Logstash Outputs
+{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-import', 'so-eval', 'so-fleet'] %}
 so-elastic-fleet-auto-configure-logstash-outputs:
   cmd.run:
     - name: /usr/sbin/so-elastic-fleet-outputs-update
+{% endif %}
 
-#so-elastic-fleet-auto-configure-server-urls:
-#  cmd.run:
-#    - name: /usr/sbin/so-elastic-fleet-urls-update
+# If enabled, automatically update Fleet Server URLs & ES Connection
+{% if ELASTICFLEETMERGED.config.server.enable_auto_configuration and grains.role not in ['so-fleet'] %}
+so-elastic-fleet-auto-configure-server-urls:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-urls-update
+{% endif %}
+
+# Automatically update Fleet Server Elasticsearch URLs
+{% if grains.role not in ['so-fleet'] %}
+so-elastic-fleet-auto-configure-elasticsearch-urls:
+  cmd.run:
+    - name: /usr/sbin/so-elastic-fleet-es-url-update
 {% endif %}
 
 {%   if SERVICETOKEN != '' %}
@@ -50,8 +62,15 @@ so-elastic-fleet:
       - {{ BINDING }}
       {% endfor %}
     - binds:
-      - /etc/pki:/etc/pki:ro
-      #- /opt/so/conf/elastic-fleet/state:/usr/share/elastic-agent/state:rw
+      - /etc/pki/elasticfleet-server.crt:/etc/pki/elasticfleet-server.crt:ro
+      - /etc/pki/elasticfleet-server.key:/etc/pki/elasticfleet-server.key:ro
+      - /etc/pki/tls/certs/intca.crt:/etc/pki/tls/certs/intca.crt:ro
+      {% if GLOBALS.os_family == 'Debian' %}
+      - /etc/ssl/elasticfleet-server.crt:/etc/ssl/elasticfleet-server.crt:ro
+      - /etc/ssl/elasticfleet-server.key:/etc/ssl/elasticfleet-server.key:ro
+      - /etc/ssl/tls/certs/intca.crt:/etc/ssl/tls/certs/intca.crt:ro
+      {% endif %}
+      - /opt/so/log/elasticfleet:/usr/share/elastic-agent/logs 
      {% if DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
         {% for BIND in DOCKER.containers['so-elastic-fleet'].custom_bind_mounts %}
       - {{ BIND }}
@@ -59,19 +78,28 @@ so-elastic-fleet:
       {% endif %}      
     - environment:
       - FLEET_SERVER_ENABLE=true
-      - FLEET_URL=https://{{ GLOBALS.node_ip }}:8220
+      - FLEET_URL=https://{{ GLOBALS.hostname }}:8220
       - FLEET_SERVER_ELASTICSEARCH_HOST=https://{{ GLOBALS.manager }}:9200
       - FLEET_SERVER_SERVICE_TOKEN={{ SERVICETOKEN }}
       - FLEET_SERVER_POLICY_ID=FleetServer_{{ GLOBALS.hostname }}
-      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
       - FLEET_SERVER_CERT=/etc/pki/elasticfleet-server.crt
       - FLEET_SERVER_CERT_KEY=/etc/pki/elasticfleet-server.key
+      {% if GLOBALS.os_family == 'Debian' %}
+      - FLEET_CA=/etc/ssl/certs/intca.crt     
+      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/ssl/certs/intca.crt
+      {% else %}
       - FLEET_CA=/etc/pki/tls/certs/intca.crt
+      - FLEET_SERVER_ELASTICSEARCH_CA=/etc/pki/tls/certs/intca.crt
+      {% endif %}
+      - LOGS_PATH=logs
       {% if DOCKER.containers['so-elastic-fleet'].extra_env %}
         {% for XTRAENV in DOCKER.containers['so-elastic-fleet'].extra_env %}
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
+    - watch:
+      - x509: etc_elasticfleet_key
+      - x509: etc_elasticfleet_crt
 {%   endif %}
 
 {%  if GLOBALS.role != "so-fleet" %}

salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/import-zeek-logs.json

@@ -13,7 +13,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations-dynamic/grid-nodes_general/zeek-logs.json

@@ -14,7 +14,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/endpoints-initial/elastic-defend-endpoints.json

@@ -5,17 +5,16 @@
 	"package": {
 		"name": "endpoint",
 		"title": "Elastic Defend",
-		"version": ""
+		"version": "8.8.0"
 	},
 	"enabled": true,
 	"policy_id": "endpoints-initial",
-	"vars": {},
 	"inputs": [{
-		"type": "endpoint",
+		"type": "ENDPOINT_INTEGRATION_CONFIG",
 		"enabled": true,
 		"streams": [],
 		"config": {
-			"integration_config": {
+			"_config": {
 				"value": {
 					"type": "endpoint",
 					"endpointConfig": {

salt/elasticfleet/files/integrations/endpoints-initial/system-endpoints.json

@@ -13,9 +13,14 @@
         "system.auth": {
           "enabled": true,
           "vars": {
+            "ignore_older": "72h",
             "paths": [
               "/var/log/auth.log*",
               "/var/log/secure*"
+            ],
+            "preserve_original_event": false,
+            "tags": [
+              "system-auth"
             ]
           }
         },
@@ -24,34 +29,49 @@
           "vars": {
             "paths": [
               "/var/log/messages*",
-              "/var/log/syslog*"
-            ]
+              "/var/log/syslog*",
+              "/var/log/system*"
+            ],
+            "tags": [],
+            "ignore_older": "72h"
           }
         }
       }
     },
     "system-winlog": {
       "enabled": true,
-      "vars": {
-        "preserve_original_event": false
-      },
       "streams": {
         "system.application": {
           "enabled": true,
           "vars": {
+            "preserve_original_event": false,
+            "ignore_older": "72h",
+            "language": 0,
             "tags": []
           }
         },
         "system.security": {
           "enabled": true,
           "vars": {
+            "preserve_original_event": false,
+            "ignore_older": "72h",
+            "language": 0,
+            "tags": []
+          }
+        },
+        "system.system": {
+          "enabled": true,
+          "vars": {
+            "preserve_original_event": false,
+            "ignore_older": "72h",
+            "language": 0,
             "tags": []
           }
         }
-        }
-      },
-      "system-system/metrics": {
-        "enabled": false
+      }
+    },
+    "system-system/metrics": {
+      "enabled": false
     }
   }
 }

salt/elasticfleet/files/integrations/grid-nodes_general/idh-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/import-evtx-logs.json

@@ -12,7 +12,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/import-suricata-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/kratos-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/soc-auth-sync-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/soc-salt-relay-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/soc-sensoroni-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/soc-server-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/strelka-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_general/suricata-logs.json

@@ -11,7 +11,7 @@
     "logs-logfile": {
       "enabled": true,
       "streams": {
-        "log.log": {
+        "log.logs": {
           "enabled": true,
           "vars": {
             "paths": [

salt/elasticfleet/files/integrations/grid-nodes_heavy/elasticsearch-logs.json

@@ -1,106 +0,0 @@
-{
-  "package": {
-    "name": "elasticsearch",
-    "version": ""
-  },
-  "name": "elasticsearch-logs",
-  "namespace": "default",
-  "description": "Elasticsearch Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "elasticsearch-logfile": {
-      "enabled": true,
-      "streams": {
-        "elasticsearch.audit": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/*_audit.json"
-            ]
-          }
-        },
-        "elasticsearch.deprecation": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/*_deprecation.json"
-            ]
-          }
-        },
-        "elasticsearch.gc": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/gc.log.[0-9]*",
-              "/var/log/elasticsearch/gc.log"
-            ]
-          }
-        },
-        "elasticsearch.server": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/elasticsearch/*.log"
-            ]
-          }
-        },
-        "elasticsearch.slowlog": {
-          "enabled": false,
-          "vars": {
-            "paths": [
-              "/var/log/elasticsearch/*_index_search_slowlog.json",
-              "/var/log/elasticsearch/*_index_indexing_slowlog.json"
-            ]
-          }
-        }
-      }
-    },
-    "elasticsearch-elasticsearch/metrics": {
-      "enabled": false,
-      "vars": {
-        "hosts": [
-          "http://localhost:9200"
-        ],
-        "scope": "node"
-      },
-      "streams": {
-        "elasticsearch.stack_monitoring.ccr": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.cluster_stats": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.enrich": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.index": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.index_recovery": {
-          "enabled": false,
-          "vars": {
-            "active.only": true
-          }
-        },
-        "elasticsearch.stack_monitoring.index_summary": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.ml_job": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.node": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.node_stats": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.pending_tasks": {
-          "enabled": false
-        },
-        "elasticsearch.stack_monitoring.shard": {
-          "enabled": false
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/kratos-logs.json

@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "kratos-logs",
-  "namespace": "so",
-  "description": "Kratos logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/kratos/kratos.log"
-            ],
-            "data_stream.dataset": "kratos",
-            "tags": ["so-kratos"],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"\"\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: iam\n      module: kratos",
-            "custom": "pipeline: kratos"
-          }
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/osquery-grid-nodes.json

@@ -3,7 +3,7 @@
     "name": "osquery_manager",
     "version": ""
   },
-  "name": "osquery-grid-nodes",
+  "name": "osquery-grid-nodes_heavy",
   "namespace": "default",
   "policy_id": "so-grid-nodes_heavy",
   "inputs": {

salt/elasticfleet/files/integrations/grid-nodes_heavy/redis-logs.json

@@ -1,76 +0,0 @@
-{
-  "package": {
-    "name": "redis",
-    "version": ""
-  },
-  "name": "redis-logs",
-  "namespace": "default",
-  "description": "Redis logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "redis-logfile": {
-      "enabled": true,
-      "streams": {
-        "redis.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/redis/redis.log"
-            ],
-            "tags": [
-              "redis-log"
-            ],
-            "preserve_original_event": false
-          }
-        }
-      }
-    },
-    "redis-redis": {
-      "enabled": false,
-      "streams": {
-        "redis.slowlog": {
-          "enabled": false,
-          "vars": {
-            "hosts": [
-              "127.0.0.1:6379"
-            ],
-            "password": ""
-          }
-        }
-      }
-    },
-    "redis-redis/metrics": {
-      "enabled": false,
-      "vars": {
-        "hosts": [
-          "127.0.0.1:6379"
-        ],
-        "idle_timeout": "20s",
-        "maxconn": 10,
-        "network": "tcp",
-        "password": ""
-      },
-      "streams": {
-        "redis.info": {
-          "enabled": false,
-          "vars": {
-            "period": "10s"
-          }
-        },
-        "redis.key": {
-          "enabled": false,
-          "vars": {
-            "key.patterns": "- limit: 20\n  pattern: *\n",
-            "period": "10s"
-          }
-        },
-        "redis.keyspace": {
-          "enabled": false,
-          "vars": {
-            "period": "10s"
-          }
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-auth-sync-logs.json

@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-auth-sync-logs",
-  "namespace": "so",
-  "description": "Security Onion - Elastic Auth Sync - Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/soc/sync.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
-            "processors": "- dissect:\n    tokenizer: \"%{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: auth_sync",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-salt-relay-logs.json

@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-salt-relay-logs",
-  "namespace": "so",
-  "description": "Security Onion - Salt Relay - Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/soc/salt-relay.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
-            "processors": "- dissect:\n    tokenizer: \"%{soc.ts} | %{event.action}\"\n    field: \"message\"\n    target_prefix: \"\"\n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: salt_relay",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-sensoroni-logs.json

@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-sensoroni-logs",
-  "namespace": "so",
-  "description": "Security Onion - Sensoroni - Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/sensoroni/sensoroni.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": [],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"sensoroni\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: sensoroni\n- rename:\n    fields:\n      - from: \"sensoroni.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"sensoroni.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"sensoroni.fields.method\"\n        to: \"http.request.method\"\n      - from: \"sensoroni.fields.path\"\n        to: \"url.path\"\n      - from: \"sensoroni.message\"\n        to: \"event.action\"\n      - from: \"sensoroni.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/soc-server-logs.json

@@ -1,29 +0,0 @@
-{
-  "package": {
-    "name": "log",
-    "version": ""
-  },
-  "name": "soc-server-logs",
-  "namespace": "so",
-  "description": "Security Onion Console Logs",
-  "policy_id": "so-grid-nodes_heavy",
-  "inputs": {
-    "logs-logfile": {
-      "enabled": true,
-      "streams": {
-        "log.log": {
-          "enabled": true,
-          "vars": {
-            "paths": [
-              "/opt/so/log/soc/sensoroni-server.log"
-            ],
-            "data_stream.dataset": "soc",
-            "tags": ["so-soc"],
-            "processors": "- decode_json_fields:\n    fields: [\"message\"]\n    target: \"soc\"\n    process_array: true\n    max_depth: 2\n    add_error_key: true      \n- add_fields:\n    target: event\n    fields:\n      category: host\n      module: soc\n      dataset_temp: server\n- rename:\n    fields:\n      - from: \"soc.fields.sourceIp\"\n        to: \"source.ip\"\n      - from: \"soc.fields.status\"\n        to: \"http.response.status_code\"\n      - from: \"soc.fields.method\"\n        to: \"http.request.method\"\n      - from: \"soc.fields.path\"\n        to: \"url.path\"\n      - from: \"soc.message\"\n        to: \"event.action\"\n      - from: \"soc.level\"\n        to: \"log.level\"\n    ignore_missing: true",
-            "custom": "pipeline: common"
-          }
-        }
-      }
-    }
-  }
-}

salt/elasticfleet/files/integrations/grid-nodes_heavy/system-grid-nodes.json

@@ -4,7 +4,7 @@
     "name": "system",
     "version": ""
   },
-  "name": "system-grid-nodes",
+  "name": "system-grid-nodes_heavy",
   "namespace": "default",
   "inputs": {
     "system-logfile": {

salt/elasticfleet/install_agent_grid.sls

@@ -14,12 +14,14 @@ run_installer:
     - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
     - cwd: /opt/so
     - args: -token={{ GRIDNODETOKENGENERAL }}
+    - retry: True
 {% else %} 
 run_installer:
   cmd.script:
     - name: salt://elasticfleet/files/so_agent-installers/so-elastic-agent_linux_amd64
     - cwd: /opt/so
     - args: -token={{ GRIDNODETOKENHEAVY }}
+    - retry: True
 {% endif %}  
 
 {% endif %}

salt/elasticfleet/soc_elasticfleet.yaml

@@ -12,10 +12,11 @@ elasticfleet:
   config:
     server:
       custom_fqdn:
-        description: Custom FQDN for Agents to connect to.
+        description: Custom FQDN for Agents to connect to. One per line.
         global: True
         helpLink: elastic-fleet.html
         advanced: True
+        forcedType: "[]string"
       enable_auto_configuration:
         description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
         global: True

salt/elasticfleet/tools/sbin/so-elastic-fleet-integration-policy-load

@@ -15,10 +15,8 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
     printf "\n\nInitial Endpoints Policy - Loading $INTEGRATION\n"
     elastic_fleet_integration_check "endpoints-initial" "$INTEGRATION"
     if [ -n "$INTEGRATION_ID" ]; then
-      if [ "$NAME" != "elastic-defend-endpoints" ]; then
-        printf "\n\nIntegration $NAME exists - Updating integration\n"
-        elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
-      fi
+      printf "\n\nIntegration $NAME exists - Updating integration\n"
+      elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
     else
       printf "\n\nIntegration does not exist - Creating integration\n"
       elastic_fleet_integration_create "@$INTEGRATION"
@@ -35,9 +33,7 @@ if [ ! -f /opt/so/state/eaintegrations.txt ]; then
       elastic_fleet_integration_update "$INTEGRATION_ID" "@$INTEGRATION"
     else
       printf "\n\nIntegration does not exist - Creating integration\n"
-      if [ "$NAME" != "elasticsearch-logs" ]; then
-        elastic_fleet_integration_create "@$INTEGRATION"
-      fi
+      elastic_fleet_integration_create "@$INTEGRATION"
     fi
   done
   if [[ "$RETURN_CODE" != "1" ]]; then

salt/elasticfleet/tools/sbin/so-elastic-fleet-package-list

@@ -0,0 +1,15 @@
+#!/bin/bash
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+. /usr/sbin/so-elastic-fleet-common
+
+# Let's snag a cookie from Kibana
+SESSIONCOOKIE=$(curl -s -K /opt/so/conf/elasticsearch/curl.config -c - -X GET http://localhost:5601/ | grep sid | awk '{print $7}')
+
+# List configured package policies
+curl -s -K /opt/so/conf/elasticsearch/curl.config -b "sid=$SESSIONCOOKIE" -L -X GET "localhost:5601/api/fleet/epm/packages" -H 'kbn-xsrf: true' | jq
+
+echo

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers

@@ -11,6 +11,12 @@
 . /usr/sbin/so-common
 . /usr/sbin/so-elastic-fleet-common
 
+LOG="/opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log"
+
+# Check to see if we are already running
+NUM_RUNNING=$(pgrep -cf "/bin/bash /sbin/so-elastic-agent-gen-installers")
+[ "$NUM_RUNNING" -gt 1 ] && echo "$(date) - $NUM_RUNNING gen installers script processes running...exiting." >>$LOG && exit 0
+
 for i in {1..30}
 do
    ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json'  | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-inspect

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent inspect
+{% else %}
+/bin/elastic-agent inspect
+{% endif %}

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-restart

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent service elastic-agent restart
+{% else %}
+service elastic-agent restart
+{% endif %}

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-start

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent service elastic-agent start
+{% else %}
+service elastic-agent start
+{% endif %}
+

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-status

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent status
+{% else %}
+/bin/elastic-agent status
+{% endif %}
+

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-stop

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent service elastic-agent stop
+{% else %}
+service elastic-agent stop
+{% endif %}
+

salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-version

@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at 
+# https://securityonion.net/license; you may not use this file except in compliance with the
+# Elastic License 2.0.
+
+
+
+. /usr/sbin/so-elastic-fleet-common
+
+{% if grains.role == 'so-heavynode' %}
+docker exec so-elastic-agent /usr/share/elastic-agent/elastic-agent version
+{% else %}
+/bin/elastic-agent version
+{% endif %}
+

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-es-url-update

@@ -0,0 +1,53 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi
+
+function update_es_urls() {
+	# Generate updated JSON payload
+    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"so-manager_elasticsearch","type":"elasticsearch","hosts": $UPDATEDLIST,"is_default":false,"is_default_monitoring":false,"config_yaml":""}')
+
+    # Update Fleet Elasticsearch URLs
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/outputs/so-manager_elasticsearch" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
+# Get current list of Fleet Elasticsearch URLs
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/outputs/so-manager_elasticsearch')
+
+# Check to make sure that the server responded with good data - else, bail from script
+CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
+if [ "$CHECKSUM" != "so-manager_elasticsearch" ]; then
+ printf "Failed to query for current Fleet Server Elasticsearch URLs..."
+ exit 1
+fi
+
+# Get the current list of Fleet Server Elasticsearch & hash them
+CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
+CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
+
+# Create array & add initial elements
+NEW_LIST=("https://{{ GLOBALS.hostname }}:9200")
+
+
+# Sort & hash the new list of Fleet Elasticsearch URLs
+NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
+NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
+
+# Compare the current & new list of URLs - if different, update the Fleet Elasticsearch URLs
+if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
+    printf "\nHashes match - no update needed.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    exit 0
+else
+    printf "\nHashes don't match - update needed.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    update_es_urls
+fi

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-outputs-update

@@ -2,7 +2,15 @@
 # or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
-{% set CUSTOMFQDN = salt['pillar.get']('elasticfleet:config:server:custom_fqdn') %}
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi
 
 function update_logstash_outputs() {
 	# Generate updated JSON payload
@@ -27,15 +35,20 @@ CURRENT_LIST=$(jq -c -r '.item.hosts' <<<  "$RAW_JSON")
 CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
 
 # Create array & add initial elements
-if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
+if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
     NEW_LIST=("{{ GLOBALS.url_base }}:5055")
 else
-    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.manager_ip }}:5055")
+    NEW_LIST=("{{ GLOBALS.url_base }}:5055" "{{ GLOBALS.hostname }}:5055")
 fi
 
-{% if CUSTOMFQDN != "" %}
-# Add Custom Hostname to list
-NEW_LIST+=("{{ CUSTOMFQDN }}:5055")
+# Query for FQDN entries & add them to the list
+{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
+CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}')
+readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST")
+for CUSTOMNAME in "${CUSTOMFQDN[@]}"
+do
+ NEW_LIST+=("$CUSTOMNAME:5055")
+done
 {% endif %}
 
 # Query for the current Grid Nodes that are running Logstash

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup

@@ -6,6 +6,12 @@
 # this file except in compliance with the Elastic License 2.0.
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 
+{% if GLOBALS.os_family == 'Debian' %}
+INTCA=/etc/ssl/certs/intca.crt
+{% else %}
+INTCA=/etc/pki/tls/certs/intca.crt
+{% endif %}
+
 . /usr/sbin/so-elastic-fleet-common
 
 printf "\n### Create ES Token ###\n"
@@ -13,7 +19,7 @@ ESTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5
 
 ### Create Outputs & Fleet URLs ###
 printf "\nAdd Manager Elasticsearch Output...\n"
-ESCACRT=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
+ESCACRT=$(openssl x509 -in  $INTCA)
 JSON_STRING=$( jq -n \
                   --arg ESCACRT "$ESCACRT" \
                   '{"name":"so-manager_elasticsearch","id":"so-manager_elasticsearch","type":"elasticsearch","hosts":["https://{{ GLOBALS.manager_ip }}:9200","https://{{ GLOBALS.manager }}:9200"],"is_default":true,"is_default_monitoring":true,"config_yaml":"","ssl":{"certificate_authorities": [$ESCACRT]}}' )
@@ -22,9 +28,9 @@ printf "\n\n"
 
 printf "\nCreate Logstash Output Config if node is not an Import or Eval install\n"
 {% if grains.role not in ['so-import', 'so-eval'] %}
-LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-agent.crt)
-LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-agent.key)
-LOGSTASHCA=$(openssl x509 -in  /etc/pki/tls/certs/intca.crt)
+LOGSTASHCRT=$(openssl x509 -in /etc/pki/elasticfleet-logstash.crt)
+LOGSTASHKEY=$(openssl rsa -in  /etc/pki/elasticfleet-logstash.key)
+LOGSTASHCA=$(openssl x509 -in  $INTCA)
 JSON_STRING=$( jq -n \
                   --arg LOGSTASHCRT "$LOGSTASHCRT" \
                   --arg LOGSTASHKEY "$LOGSTASHKEY" \
@@ -35,12 +41,12 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl
 printf "\n\n"
 {%- endif %}
 
-# Add Manager IP & URL Base to Fleet Host URLs
+# Add Manager Hostname & URL Base to Fleet Host URLs
 printf "\nAdd SO-Manager Fleet URL\n"
-if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
+if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
     JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}')
 else
-    JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}')
+    JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.hostname }}:8220"]}')
 fi
 
 ## This array replaces whatever URLs are currently configured

salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-urls-update

@@ -0,0 +1,80 @@
+# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
+# or more contributor license agreements. Licensed under the Elastic License 2.0; you may not use
+# this file except in compliance with the Elastic License 2.0.
+{% from 'vars/globals.map.jinja' import GLOBALS %}
+{% from 'elasticfleet/map.jinja' import ELASTICFLEETMERGED %}
+
+. /usr/sbin/so-common
+
+# Only run on Managers
+if ! is_manager_node; then
+    printf "Not a Manager Node... Exiting"
+    exit 0
+fi
+
+function update_fleet_urls() {
+	# Generate updated JSON payload
+    JSON_STRING=$(jq -n --arg UPDATEDLIST $NEW_LIST_JSON '{"name":"grid-default","is_default":true,"host_urls": $UPDATEDLIST}')
+
+    # Update Fleet Server URLs
+    curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/fleet_server_hosts/grid-default" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
+}
+
+# Get current list of Fleet Server URLs
+RAW_JSON=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default')
+
+# Check to make sure that the server responded with good data - else, bail from script
+CHECKSUM=$(jq -r '.item.id' <<< "$RAW_JSON")
+if [ "$CHECKSUM" != "grid-default" ]; then
+ printf "Failed to query for current Fleet Server URLs..."
+ exit 1
+fi
+
+# Get the current list of Fleet Server URLs & hash them
+CURRENT_LIST=$(jq -c -r '.item.host_urls' <<<  "$RAW_JSON")
+CURRENT_HASH=$(sha1sum <<< "$CURRENT_LIST" | awk '{print $1}')
+
+# Create array & add initial elements
+if [ "{{ GLOBALS.hostname }}" = "{{ GLOBALS.url_base }}" ]; then
+    NEW_LIST=("https://{{ GLOBALS.url_base }}:8220")
+else
+    NEW_LIST=("https://{{ GLOBALS.url_base }}:8220" "https://{{ GLOBALS.hostname }}:8220")
+fi
+
+# Query for FQDN entries & add them to the list
+{% if ELASTICFLEETMERGED.config.server.custom_fqdn | length > 0 %}
+CUSTOMFQDNLIST=('{{ ELASTICFLEETMERGED.config.server.custom_fqdn | join(' ') }}')
+readarray -t -d ' ' CUSTOMFQDN < <(printf '%s' "$CUSTOMFQDNLIST")
+for CUSTOMNAME in "${CUSTOMFQDN[@]}"
+do
+ NEW_LIST+=("https://$CUSTOMNAME:8220")
+done
+{% endif %}
+
+# Query for the current Grid Nodes that are running Logstash (which includes Fleet Nodes)
+LOGSTASHNODES=$(salt-call --out=json pillar.get logstash:nodes | jq '.local')
+
+# Query for Fleet Nodes & add them to the list (Hostname)
+if grep -q "fleet" <<< $LOGSTASHNODES; then
+   readarray -t FLEETNODES < <(jq -r ' .fleet | keys_unsorted[]'  <<< $LOGSTASHNODES)
+   for NODE in "${FLEETNODES[@]}"
+   do
+    NEW_LIST+=("https://$NODE:8220")
+   done
+fi
+
+# Sort & hash the new list of Fleet Server URLs
+NEW_LIST_JSON=$(jq --compact-output --null-input '$ARGS.positional' --args -- "${NEW_LIST[@]}")
+NEW_HASH=$(sha1sum <<< "$NEW_LIST_JSON" | awk '{print $1}')
+
+# Compare the current & new list of URLs - if different, update the Fleet Server URLs & regenerate the agent installer
+if [ "$NEW_HASH" = "$CURRENT_HASH" ]; then
+    printf "\nHashes match - no update needed.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    exit 0
+else
+    printf "\nHashes don't match - update needed.\n"
+    printf "Current List: $CURRENT_LIST\nNew List: $NEW_LIST_JSON\n"
+    update_fleet_urls
+    /sbin/so-elastic-agent-gen-installers >> /opt/so/log/elasticfleet/so-elastic-agent-gen-installers.log &
+fi

salt/elasticsearch/defaults.yaml

@@ -81,6 +81,8 @@ elasticsearch:
               managed: true
         composed_of:
           - "so-data-streams-mappings"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
           - "so-logs-mappings"
           - "so-logs-settings"
         priority: 225
@@ -1312,6 +1314,398 @@ elasticsearch:
             name: elastic_agent
           managed_by: security_onion
           managed: true
+    so-logs-endpoint.alerts:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.alerts-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.alerts@custom"
+          - "logs-endpoint.alerts@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.api:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.api-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.api@custom"
+          - "logs-endpoint.events.api@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.file:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.file-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.file@custom"
+          - "logs-endpoint.events.file@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.library:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.library-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.library@custom"
+          - "logs-endpoint.events.library@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.network:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.network-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.network@custom"
+          - "logs-endpoint.events.network@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.process:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.process-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.process@custom"
+          - "logs-endpoint.events.process@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.registry:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.registry-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.registry@custom"
+          - "logs-endpoint.events.registry@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
+    so-logs-endpoint.events.security:
+      index_sorting: False
+      index_template:
+        index_patterns:
+          - "logs-endpoint.events.security-*"
+        template:
+          settings:
+            index:
+              number_of_replicas: 0
+              mapping:
+                total_fields:
+                  limit: 5000
+              sort:
+                field: "@timestamp"
+                order: desc
+        composed_of:
+          - "event-mappings"
+          - "logs-endpoint.events.security@custom"
+          - "logs-endpoint.events.security@package"
+          - "so-fleet_globals-1"
+          - "so-fleet_agent_id_verification-1"
+        priority: 501
+        data_stream:
+          hidden: false
+          allow_custom_routing: false
+      policy:
+        phases:
+          hot:
+            min_age: 0ms
+            actions:
+              set_priority:
+                priority: 100
+              rollover:
+                max_age: 30d
+                max_primary_shard_size: 50gb
+          cold:
+            min_age: 30d
+            actions:
+              set_priority:
+                priority: 0
+          delete:
+            min_age: 365d
+            actions:
+              delete: {}
+        _meta:
+          package:
+            name: elastic_agent
+          managed_by: security_onion
+          managed: true
     so-logs-elastic_agent.filebeat:
       index_sorting: False
       index_template:

salt/elasticsearch/files/ingest/.fleet_final_pipeline-1

@@ -72,8 +72,13 @@
     { "set":        { "ignore_failure": true,  "field": "event.module", "value": "elastic_agent" } },
     { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "module_temp"  } },
     { "set":        { "if": "ctx.module_temp != null", "override": true, "field": "event.module", "value": "{{module_temp.0}}" } },
-    { "split":      { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "separator": "\\.", "target_field": "dataset_tag_temp" } },
-    { "append":        { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp.1}}"  } },
+    { "gsub":       { "if": "ctx.event?.dataset != null && ctx.event.dataset.contains('.')", "field": "event.dataset", "pattern": "^[^.]*.", "replacement": "", "target_field": "dataset_tag_temp" } },
+    { "append":     { "if": "ctx.dataset_tag_temp != null", "field": "tags", "value": "{{dataset_tag_temp}}"  } },
+    { "set":        { "if": "ctx.network?.direction == 'egress'", "override": true, "field": "network.initiated", "value": "true" } },
+    { "set":        { "if": "ctx.network?.direction == 'ingress'", "override": true, "field": "network.initiated", "value": "false" } },
+    { "set":        { "if": "ctx.network?.type == 'ipv4'", "override": true, "field": "destination.ipv6", "value": "false" } },
+    { "set":        { "if": "ctx.network?.type == 'ipv6'", "override": true, "field": "destination.ipv6", "value": "true" } },
+    {"community_id":{ "if": "ctx.event?.dataset == 'endpoint.events.network'", "ignore_failure":true }  },
     { "remove":     { "field": [ "message2", "type", "fields", "category", "module", "dataset", "event.dataset_temp", "dataset_tag_temp", "module_temp" ], "ignore_missing": true, "ignore_failure": true } } 
   ],
   "on_failure": [

salt/elasticsearch/files/ingest/filterlog

@@ -49,11 +49,10 @@
                 "on_failure" : [ {"set" : {"field" : "error.message","value" : "{{ _ingest.on_failure_message }}"}}]
         }
      },
-     { "set":         { "field": "_index",        "value": "so-firewall", "override": true           } },
      { "set":         { "if": "ctx.network?.transport_id == '0'", "field": "network.transport",        "value": "icmp", "override": true           } },
      { "community_id": {} },
-     { "set":         { "field": "module",	"value": "pfsense",	"override": true	} },
-     { "set":         { "field": "dataset",	"value": "firewall",	"override": true	} },
+     { "set":         { "field": "event.module",	"value": "pfsense",	"override": true	} },
+     { "set":         { "field": "event.dataset",	"value": "firewall",	"override": true	} },
      { "set":         { "field": "category",	"value": "network",	"override": true	} },
      { "remove":      { "field": ["real_message", "ip_sub_msg", "firewall.sub_message"],     "ignore_failure": true  } }
   ]

salt/elasticsearch/files/ingest/strelka.file

@@ -63,7 +63,8 @@
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 50 && ctx.rule?.score <=69",   "field": "event.severity", "value": 2, "override": true }  },
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 70 && ctx.rule?.score <=89",   "field": "event.severity", "value": 3, "override": true }  },
     { "set":         { "if": "ctx.rule?.score != null && ctx.rule?.score >= 90",   "field": "event.severity", "value": 4, "override": true }  },
-    { "set":         { "if": "ctx.scan?.entropy?.entropy == 0",   "field": "scan.entropy.entropy", "value": 0.0, "override": true }  },
+    { "set":         { "if": "ctx.scan?.entropy?.entropy == 0",   "field": "scan.entropy.entropy", "value": "0.0", "override": true }  },
+    { "set":         { "if": "ctx.scan?.pe?.image_version == 0",   "field": "scan.pe.image_version", "value": "0.0", "override": true }  },
     { "set":         { "field": "observer.name",        "value": "{{agent.name}}" }},
     { "convert" :    { "field" : "scan.exiftool","type": "string", "ignore_missing":true }},
     { "remove":         { "field": ["host", "path", "message", "exiftool", "scan.yara.meta"],                                         "ignore_missing": true  } },

salt/elasticsearch/templates/component/ecs/agent.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "agent": {
@@ -52,65 +12,29 @@
               "properties": {
                 "original": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "ephemeral_id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "version": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/base.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "@timestamp": {
@@ -57,13 +17,7 @@
         },
         "tags": {
           "ignore_above": 1024,
-          "type": "keyword",
-          "fields": {
-            "security": {
-              "type": "text",
-              "analyzer": "es_security_analyzer"
-            }
-          }
+          "type": "keyword"
         }
       }
     }

salt/elasticsearch/templates/component/ecs/client.json

@@ -4,59 +4,13 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "client": {
           "properties": {
             "address": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "as": {
               "properties": {
@@ -66,12 +20,6 @@
                 "organization": {
                   "properties": {
                     "name": {
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
@@ -84,118 +32,52 @@
             },
             "domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "geo": {
               "properties": {
                 "city_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "continent_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "continent_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "country_iso_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "country_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "postal_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "region_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "timezone": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -204,13 +86,7 @@
             },
             "mac": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "nat": {
               "properties": {
@@ -230,63 +106,27 @@
             },
             "registered_domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "subdomain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "top_level_domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "user": {
               "properties": {
                 "domain": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "email": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "full_name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
@@ -294,75 +134,33 @@
                   "properties": {
                     "domain": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "hash": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }

salt/elasticsearch/templates/component/ecs/cloud.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "cloud": {
@@ -52,57 +12,27 @@
               "properties": {
                 "id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "availability_zone": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "instance": {
               "properties": {
                 "id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -110,13 +40,7 @@
               "properties": {
                 "type": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -124,57 +48,27 @@
               "properties": {
                 "id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "provider": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "region": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "service": {
               "properties": {
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }

salt/elasticsearch/templates/component/ecs/container.json

@@ -4,81 +4,23 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "container": {
           "properties": {
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "image": {
               "properties": {
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "tag": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -87,23 +29,11 @@
             },
             "name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "runtime": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/cyberark.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "cyberarkpas": {
@@ -52,565 +12,241 @@
               "properties": {
                 "action": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "ca_properties": {
                   "properties": {
                     "address": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "cpm_disabled": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "cpm_error_details": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "cpm_status": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "creation_method": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "customer": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "database": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "device_type": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "dual_account_status": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "group_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "in_process": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "index": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "last_fail_date": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "last_success_change": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "last_success_reconciliation": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "last_success_verification": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "last_task": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "logon_domain": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "other": {
                       "type": "flattened"
                     },
                     "policy_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "port": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "privcloud": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "reset_immediately": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "retries_count": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "sequence_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "tags": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "user_dn": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "user_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "virtual_username": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "category": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "desc": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "extra_details": {
                   "properties": {
                     "ad_process_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "ad_process_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "application_type": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "command": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "connection_component_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "dst_host": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "logon_account": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "managed_account": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "other": {
                       "type": "flattened"
                     },
                     "process_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "process_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "protocol": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "psmid": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "session_duration": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "session_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "src_host": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "username": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "file": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "gateway_station": {
                   "type": "ip"
                 },
                 "hostname": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "iso_timestamp": {
                   "type": "date"
                 },
                 "issuer": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "location": {
                   "doc_values": false,
                   "ignore_above": 4096,
                   "index": false,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "message": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "message_id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "product": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "pvwa_details": {
                   "type": "flattened"
@@ -619,99 +255,45 @@
                   "doc_values": false,
                   "ignore_above": 4096,
                   "index": false,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "reason": {
                   "norms": false,
-                  "type": "text",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "text"
                 },
                 "rfc5424": {
                   "type": "boolean"
                 },
                 "safe": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "severity": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "source_user": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "station": {
                   "type": "ip"
                 },
                 "target_user": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "timestamp": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "vendor": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "version": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }

salt/elasticsearch/templates/component/ecs/data_stream.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "data_stream": {

salt/elasticsearch/templates/component/ecs/destination.json

@@ -4,59 +4,13 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "destination": {
           "properties": {
             "address": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "as": {
               "properties": {
@@ -66,12 +20,6 @@
                 "organization": {
                   "properties": {
                     "name": {
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      },
                       "ignore_above": 1024,
                       "type": "keyword"
                     }
@@ -84,118 +32,52 @@
             },
             "domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "geo": {
               "properties": {
                 "city_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "continent_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "continent_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "country_iso_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "country_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "postal_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "region_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "timezone": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -204,13 +86,7 @@
             },
             "mac": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "nat": {
               "properties": {
@@ -230,63 +106,27 @@
             },
             "registered_domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "subdomain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "top_level_domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "user": {
               "properties": {
                 "domain": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "email": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "full_name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
@@ -294,75 +134,33 @@
                   "properties": {
                     "domain": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "hash": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }

salt/elasticsearch/templates/component/ecs/dll.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "dll": {
@@ -52,56 +12,26 @@
               "properties": {
                 "digest_algorithm": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "exists": {
                   "type": "boolean"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "status": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "subject_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "team_id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "timestamp": {
                   "type": "date"
@@ -118,147 +48,63 @@
               "properties": {
                 "md5": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "sha1": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "sha256": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "sha512": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "ssdeep": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "path": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "pe": {
               "properties": {
                 "architecture": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "company": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "description": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "file_version": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "imphash": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "original_file_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "product": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }

salt/elasticsearch/templates/component/ecs/dns.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "dns": {
@@ -52,141 +12,63 @@
               "properties": {
                 "class": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "data": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "ttl": {
                   "type": "long"
                 },
                 "type": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               },
               "type": "object"
             },
             "header_flags": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "op_code": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "question": {
               "properties": {
                 "class": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "registered_domain": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "subdomain": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "top_level_domain": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "type": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -195,23 +77,11 @@
             },
             "response_code": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/ecs.json

@@ -4,59 +4,13 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "ecs": {
           "properties": {
             "version": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/elasticsearch.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "@timestamp": {
@@ -57,13 +17,7 @@
         },
         "tags": {
           "ignore_above": 1024,
-          "type": "keyword",
-          "fields": {
-            "security": {
-              "type": "text",
-              "analyzer": "es_security_analyzer"
-            }
-          }
+          "type": "keyword"
         }
       }
     }

salt/elasticsearch/templates/component/ecs/error.json

@@ -4,79 +4,23 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "error": {
           "properties": {
             "code": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "message": {
               "type": "match_only_text"
             },
             "stack_trace": {
               "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                },
                 "text": {
                   "type": "match_only_text"
                 }
@@ -85,13 +29,7 @@
             },
             "type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/event.json

@@ -4,102 +4,32 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "event": {
           "properties": {
             "action": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "agent_id_status": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "category": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "code": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "created": {
               "type": "date"
             },
             "dataset": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "duration": {
               "type": "long"
@@ -109,97 +39,43 @@
             },
             "hash": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "ingested": {
               "type": "date"
             },
             "kind": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "module": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "original": {
               "doc_values": false,
               "index": false,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "outcome": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "provider": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "reason": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "reference": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "risk_score": {
               "type": "float"
@@ -218,33 +94,15 @@
             },
             "timezone": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "url": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/file.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "file": {
@@ -53,68 +13,32 @@
             },
             "attributes": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "code_signature": {
               "properties": {
                 "digest_algorithm": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "exists": {
                   "type": "boolean"
                 },
                 "signing_id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "status": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "subject_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "team_id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "timestamp": {
                   "type": "date"
@@ -135,65 +59,29 @@
             },
             "device": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "directory": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "drive_letter": {
               "ignore_above": 1,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "elf": {
               "properties": {
                 "architecture": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "byte_order": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "cpu_type": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "creation_date": {
                   "type": "date"
@@ -205,76 +93,34 @@
                   "properties": {
                     "abi_version": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "class": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "data": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "entrypoint": {
                       "type": "long"
                     },
                     "object_version": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "os_abi": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "type": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "version": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
@@ -291,46 +137,22 @@
                     },
                     "flags": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "physical_offset": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "physical_size": {
                       "type": "long"
                     },
                     "type": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "virtual_address": {
                       "type": "long"
@@ -345,203 +167,89 @@
                   "properties": {
                     "sections": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "type": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   },
                   "type": "nested"
                 },
                 "shared_libraries": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "telfhash": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "extension": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "fork_name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "gid": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "group": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "hash": {
               "properties": {
                 "md5": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "sha1": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "sha256": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "sha512": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "ssdeep": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "inode": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "mime_type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "mode": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "mtime": {
               "type": "date"
             },
             "name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "owner": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "path": {
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              },
               "ignore_above": 1024,
               "type": "keyword"
             },
@@ -549,73 +257,31 @@
               "properties": {
                 "architecture": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "company": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "description": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "file_version": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "imphash": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "original_file_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "product": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -623,118 +289,52 @@
               "type": "long"
             },
             "target_path": {
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              },
               "ignore_above": 1024,
               "type": "keyword"
             },
             "type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "uid": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "x509": {
               "properties": {
                 "alternative_names": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "issuer": {
                   "properties": {
                     "common_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "country": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "distinguished_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "locality": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "organization": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "organizational_unit": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "state_or_province": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
@@ -746,23 +346,11 @@
                 },
                 "public_key_algorithm": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "public_key_curve": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "public_key_exponent": {
                   "doc_values": false,
@@ -774,107 +362,47 @@
                 },
                 "serial_number": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "signature_algorithm": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "subject": {
                   "properties": {
                     "common_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "country": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "distinguished_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "locality": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "organization": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "organizational_unit": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "state_or_province": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "version_number": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }

salt/elasticsearch/templates/component/ecs/gcp.json

@@ -4,46 +4,6 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "gcp": {
@@ -54,35 +14,17 @@
                   "properties": {
                     "authority_selector": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "principal_email": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "method_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "num_response_items": {
                   "type": "long"
@@ -91,43 +33,19 @@
                   "properties": {
                     "filter": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "proto_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "resource_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
@@ -138,13 +56,7 @@
                     },
                     "caller_supplied_user_agent": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
@@ -152,25 +64,13 @@
                   "properties": {
                     "current_locations": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "resource_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "response": {
                   "properties": {
@@ -178,77 +78,35 @@
                       "properties": {
                         "group": {
                           "ignore_above": 1024,
-                          "type": "keyword",
-                          "fields": {
-                            "security": {
-                              "type": "text",
-                              "analyzer": "es_security_analyzer"
-                            }
-                          }
+                          "type": "keyword"
                         },
                         "kind": {
                           "ignore_above": 1024,
-                          "type": "keyword",
-                          "fields": {
-                            "security": {
-                              "type": "text",
-                              "analyzer": "es_security_analyzer"
-                            }
-                          }
+                          "type": "keyword"
                         },
                         "name": {
                           "ignore_above": 1024,
-                          "type": "keyword",
-                          "fields": {
-                            "security": {
-                              "type": "text",
-                              "analyzer": "es_security_analyzer"
-                            }
-                          }
+                          "type": "keyword"
                         },
                         "uid": {
                           "ignore_above": 1024,
-                          "type": "keyword",
-                          "fields": {
-                            "security": {
-                              "type": "text",
-                              "analyzer": "es_security_analyzer"
-                            }
-                          }
+                          "type": "keyword"
                         }
                       }
                     },
                     "proto_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "status": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "service_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "status": {
                   "properties": {
@@ -257,25 +115,13 @@
                     },
                     "message": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "type": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
@@ -285,33 +131,15 @@
                   "properties": {
                     "project_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "region": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "zone": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
@@ -319,33 +147,15 @@
                   "properties": {
                     "project_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "subnetwork_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "vpc_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 }
@@ -357,96 +167,42 @@
                   "properties": {
                     "action": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "destination_range": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "direction": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "priority": {
                       "type": "long"
                     },
                     "reference": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "source_range": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "source_service_account": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "source_tag": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "target_service_account": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "target_tag": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 }
@@ -458,33 +214,15 @@
                   "properties": {
                     "project_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "region": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "zone": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
@@ -492,33 +230,15 @@
                   "properties": {
                     "project_id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "subnetwork_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "vpc_name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 }
@@ -528,13 +248,7 @@
               "properties": {
                 "reporter": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "rtt": {
                   "properties": {

salt/elasticsearch/templates/component/ecs/group.json

@@ -4,79 +4,21 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "group": {
           "properties": {
             "domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             }
           }
         }

salt/elasticsearch/templates/component/ecs/host.json

@@ -4,59 +4,13 @@
     "ecs_version": "1.12.2"
   },
   "template": {
-    "settings": {
-      "analysis": {
-        "analyzer": {
-          "es_security_analyzer": {
-            "type": "custom",
-            "char_filter": [
-              "whitespace_no_way"
-            ],
-            "filter": [
-              "lowercase",
-              "trim"
-            ],
-            "tokenizer": "keyword"
-          }
-        },
-        "char_filter": {
-          "whitespace_no_way": {
-            "type": "pattern_replace",
-            "pattern": "(\\s)+",
-            "replacement": "$1"
-          }
-        },
-        "filter": {
-          "path_hierarchy_pattern_filter": {
-            "type": "pattern_capture",
-            "preserve_original": true,
-            "patterns": [
-              "((?:[^\\\\]*\\\\)*)(.*)",
-              "((?:[^/]*/)*)(.*)"
-            ]
-          }
-        },
-        "tokenizer": {
-          "path_tokenizer": {
-            "type": "path_hierarchy",
-            "delimiter": "\\"
-          }
-        }
-      }
-    },
     "mappings": {
       "properties": {
         "host": {
           "properties": {
             "architecture": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "cpu": {
               "properties": {
@@ -86,163 +40,73 @@
             },
             "domain": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "geo": {
               "properties": {
                 "city_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "continent_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "continent_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "country_iso_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "country_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "location": {
                   "type": "geo_point"
                 },
                 "name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "postal_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "region_iso_code": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "region_name": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "timezone": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "hostname": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "id": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "ip": {
               "type": "ip"
             },
             "mac": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "name": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "network": {
               "properties": {
@@ -272,85 +136,37 @@
               "properties": {
                 "family": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "full": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "kernel": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "platform": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "type": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "version": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             },
             "type": {
               "ignore_above": 1024,
-              "type": "keyword",
-              "fields": {
-                "security": {
-                  "type": "text",
-                  "analyzer": "es_security_analyzer"
-                }
-              }
+              "type": "keyword"
             },
             "uptime": {
               "type": "long"
@@ -359,31 +175,13 @@
               "properties": {
                 "domain": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "email": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "full_name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
@@ -391,75 +189,33 @@
                   "properties": {
                     "domain": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "id": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     },
                     "name": {
                       "ignore_above": 1024,
-                      "type": "keyword",
-                      "fields": {
-                        "security": {
-                          "type": "text",
-                          "analyzer": "es_security_analyzer"
-                        }
-                      }
+                      "type": "keyword"
                     }
                   }
                 },
                 "hash": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "id": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 },
                 "name": {
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  },
                   "ignore_above": 1024,
                   "type": "keyword"
                 },
                 "roles": {
                   "ignore_above": 1024,
-                  "type": "keyword",
-                  "fields": {
-                    "security": {
-                      "type": "text",
-                      "analyzer": "es_security_analyzer"
-                    }
-                  }
+                  "type": "keyword"
                 }
               }
             }