CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 10:12:53 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
0a88c812e867b51d19eb643d47dab1f9f7c24df3
securityonion/salt/elasticsearch/defaults.yaml
Wes 31a49268cb Add o365 and okta
2023-08-23 20:20:06 +00:00

4363 lines
123 KiB
YAML
Raw Blame History

elasticsearch:
enabled: False
retention:
retention_pct: 50
config:
node: {}
cluster:
routing:
allocation:
disk:
threshold_enabled: true
watermark:
low: 80%
high: 85%
flood_stage: 90%
network:
host: 0.0.0.0
path:
logs: /var/log/elasticsearch
action:
destructive_requires_name: true
transport:
bind_host: 0.0.0.0
publish_port: 9300
xpack:
ml:
enabled: false
security:
enabled: true
authc:
anonymous:
authz_exception: true
roles: []
username: _anonymous
transport:
ssl:
enabled: true
verification_mode: none
key: /usr/share/elasticsearch/config/elasticsearch.key
certificate: /usr/share/elasticsearch/config/elasticsearch.crt
certificate_authorities:
- /usr/share/elasticsearch/config/ca.crt
http:
ssl:
enabled: true
client_authentication: none
key: /usr/share/elasticsearch/config/elasticsearch.key
certificate: /usr/share/elasticsearch/config/elasticsearch.crt
certificate_authorities:
- /usr/share/elasticsearch/config/ca.crt
script:
max_compilations_rate: 20000/1m
indices:
id_field_data:
enabled: false
logger:
org:
elasticsearch:
deprecation: ERROR
index_settings:
global_overrides:
index_template:
template:
settings:
index:
number_of_replicas: default_placeholder
so-logs:
index_sorting: False
index_template:
index_patterns:
- "logs-*-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5001
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "so-data-streams-mappings"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
- "so-logs-mappings"
- "so-logs-settings"
priority: 225
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-system_x_auth:
index_sorting: False
index_template:
index_patterns:
- "logs-system.auth*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.auth@package"
- "logs-system.auth@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system_x_syslog:
index_sorting: False
index_template:
index_patterns:
- "logs-system.syslog*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.syslog@package"
- "logs-system.syslog@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system_x_system:
index_sorting: False
index_template:
index_patterns:
- "logs-system.system*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.system@package"
- "logs-system.system@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system_x_application:
index_sorting: False
index_template:
index_patterns:
- "logs-system.application*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.application@package"
- "logs-system.application@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-system_x_security:
index_sorting: False
index_template:
index_patterns:
- "logs-system.security*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "event-mappings"
- "logs-system.security@package"
- "logs-system.security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows_x_forwarded:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.forwarded*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.forwarded@package"
- "logs-windows.forwarded@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows_x_powershell:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.powershell-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.powershell@package"
- "logs-windows.powershell@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows_x_powershell_operational:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.powershell_operational-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.powershell_operational@package"
- "logs-windows.powershell_operational@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-windows_x_sysmon_operational:
index_sorting: False
index_template:
index_patterns:
- "logs-windows.sysmon_operational-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-windows.sysmon_operational@package"
- "logs-windows.sysmon_operational@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-auditd_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-auditd.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-auditd.log@package"
- "logs-auditd.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_cloudtrail:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.cloudtrail-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.cloudtrail@package"
- "logs-aws.cloudtrail@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_cloudwatch_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.cloudwatch_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.cloudwatch_logs@package"
- "logs-aws.cloudwatch_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_ec2_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.ec2_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.ec2_logs@package"
- "logs-aws.ec2_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_elb_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.elb_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.elb_logs@package"
- "logs-aws.elb_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_firewall_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.firewall_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.firewall_logs@package"
- "logs-aws.firewall_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_route53_public_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.route53_public_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.route53_public_logs@package"
- "logs-aws.route53_public_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_route53_resolver_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.route53_resolver_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.route53_resolver_logs@package"
- "logs-aws.route53_resolver_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_s3access:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.s3access-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.s3access@package"
- "logs-aws.s3access@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_vpcflow:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.vpcflow-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.vpcflow@package"
- "logs-aws.vpcflow@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-aws_x_waf:
index_sorting: False
index_template:
index_patterns:
- "logs-aws.waf-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-aws.waf@package"
- "logs-aws.waf@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_activitylogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.activitylogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.activitylogs@package"
- "logs-azure.activitylogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_application_gateway:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.application_gateway-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.application_gateway@package"
- "logs-azure.application_gateway@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_auditlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.auditlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.auditlogs@package"
- "logs-azure.auditlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_eventhub:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.eventhub-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.eventhub@package"
- "logs-azure.eventhub@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_firewall_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.firewall_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.firewall_logs@package"
- "logs-azure.firewall_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_identity_protection:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.identity_protection-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.identity_protection@package"
- "logs-azure.identity_protection@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_platformlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.platformlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.platformlogs@package"
- "logs-azure.platformlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_provisioning:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.provisioning-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.provisioning@package"
- "logs-azure.provisioning@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_signinlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.signinlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.signinlogs@package"
- "logs-azure.signinlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-azure_x_springcloudlogs:
index_sorting: False
index_template:
index_patterns:
- "logs-azure.springcloudlogs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-azure.springcloudlogs@package"
- "logs-azure.springcloudlogs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-barracuda_x_waf:
index_sorting: False
index_template:
index_patterns:
- "logs-barracuda.waf-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-barracuda.waf@package"
- "logs-barracuda.waf@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cisco_asa_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-cisco_asa.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-cisco_asa.log@package"
- "logs-cisco_asa.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cloudflare_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-cloudflare.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-cloudflare.audit@package"
- "logs-cloudflare.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-cloudflare_x_logpull:
index_sorting: False
index_template:
index_patterns:
- "logs-cloudflare.logpull-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-cloudflare.logpull@package"
- "logs-cloudflare.logpull@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-crowdstrike_x_falcon:
index_sorting: False
index_template:
index_patterns:
- "logs-crowdstrike.falcon-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-crowdstrike.falcon@package"
- "logs-crowdstrike.falcon@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-crowdstrike_x_fdr:
index_sorting: False
index_template:
index_patterns:
- "logs-crowdstrike.fdr-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-crowdstrike.fdr@package"
- "logs-crowdstrike.fdr@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-darktrace_x_ai_analyst_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-darktrace.ai_analyst_alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-darktrace.ai_analyst_alert@package"
- "logs-darktrace.ai_analyst_alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-darktrace_x_model_breach_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-darktrace.model_breach_alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-darktrace.model_breach_alert@package"
- "logs-darktrace.model_breach_alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-darktrace_x_system_status_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-darktrace.system_status_alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-darktrace.system_status_alert@package"
- "logs-darktrace.system_status_alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-f5_bigip_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-f5_bigip.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-f5_bigip.log@package"
- "logs-f5_bigip.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fim_x_event:
index_sorting: False
index_template:
index_patterns:
- "logs-fim.event-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fim.event@package"
- "logs-fim.event@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fortinet_x_clientendpoint:
index_sorting: False
index_template:
index_patterns:
- "logs-fortinet.clientendpoint-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fortinet.clientendpoint@package"
- "logs-fortinet.clientendpoint@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fortinet_x_firewall:
index_sorting: False
index_template:
index_patterns:
- "logs-fortinet.firewall-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fortinet.firewall@package"
- "logs-fortinet.firewall@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fortinet_x_fortimail:
index_sorting: False
index_template:
index_patterns:
- "logs-fortinet.fortimail-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fortinet.fortimail@package"
- "logs-fortinet.fortimail@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fortinet_x_fortimanager:
index_sorting: False
index_template:
index_patterns:
- "logs-fortinet.fortimanager-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fortinet.fortimanager@package"
- "logs-fortinet.fortimanager@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-fortinet_x_fortigate:
index_sorting: False
index_template:
index_patterns:
- "logs-fortinet.fortigate-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-fortinet.fortigate@package"
- "logs-fortinet.fortigate@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-gcp_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-gcp.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-gcp.audit@package"
- "logs-gcp.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-gcp_x_dns:
index_sorting: False
index_template:
index_patterns:
- "logs-gcp.dns-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-gcp.dns@package"
- "logs-gcp.dns@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-gcp_x_firewall:
index_sorting: False
index_template:
index_patterns:
- "logs-gcp.firewall-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-gcp.firewall@package"
- "logs-gcp.firewall@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-gcp_x_loadbalancing_logs:
index_sorting: False
index_template:
index_patterns:
- "logs-gcp.loadbalancing_logs-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-gcp.loadbalancing_logs@package"
- "logs-gcp.loadbalancing_logs@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-gcp_x_vpcflow:
index_sorting: False
index_template:
index_patterns:
- "logs-gcp.vpcflow-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-gcp.vpcflow@package"
- "logs-gcp.vpcflow@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-github.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.audit@package"
- "logs-github.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github_x_code_scanning:
index_sorting: False
index_template:
index_patterns:
- "logs-github.code_scanning-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.code_scanning@package"
- "logs-github.code_scanning@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github_x_dependabot:
index_sorting: False
index_template:
index_patterns:
- "logs-github.dependabot-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.dependabot@package"
- "logs-github.dependabot@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github_x_issues:
index_sorting: False
index_template:
index_patterns:
- "logs-github.issues-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.issues@package"
- "logs-github.issues@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-github_x_secret_scanning:
index_sorting: False
index_template:
index_patterns:
- "logs-github.secret_scanning-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-github.secret_scanning@package"
- "logs-github.secret_scanning@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_access_transparency:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.access_transparency-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.access_transparency@package"
- "logs-google_workspace.access_transparency@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_admin:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.admin-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.admin@package"
- "logs-google_workspace.admin@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.alert@package"
- "logs-google_workspace.alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_context_aware_access:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.context_aware_access-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.context_aware_access@package"
- "logs-google_workspace.context_aware_access@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_device:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.device-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.device@package"
- "logs-google_workspace.device@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_drive:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.drive-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.drive@package"
- "logs-google_workspace.drive@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_gcp:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.gcp-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.gcp@package"
- "logs-google_workspace.gcp@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_group_enterprise:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.group_enterprise-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.group_enterprise@package"
- "logs-google_workspace.group_enterprise@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_groups:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.groups-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.groups@package"
- "logs-google_workspace.groups@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_login:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.login-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.login@package"
- "logs-google_workspace.login@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_rules:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.rules-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.rules@package"
- "logs-google_workspace.rules@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_saml:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.saml-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.saml@package"
- "logs-google_workspace.saml@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_token:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.token-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.token@package"
- "logs-google_workspace.token@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-google_workspace_x_user_accounts:
index_sorting: False
index_template:
index_patterns:
- "logs-google_workspace.user_accounts-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-google_workspace.user_accounts@package"
- "logs-google_workspace.user_accounts@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-http_endpoint_x_generic:
index_sorting: False
index_template:
index_patterns:
- "logs-http_endpoint.generic-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-http_endpoint.generic@package"
- "logs-http_endpoint.generic@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-httpjson_x_generic:
index_sorting: False
index_template:
index_patterns:
- "logs-httpjson.generic-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-httpjson.generic@package"
- "logs-httpjson.generic@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-juniper_x_junos:
index_sorting: False
index_template:
index_patterns:
- "logs-juniper.junos-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-juniper.junos@package"
- "logs-juniper.junos@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-juniper_x_netscreen:
index_sorting: False
index_template:
index_patterns:
- "logs-juniper.netscreen-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-juniper.netscreen@package"
- "logs-juniper.netscreen@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-juniper_x_srx:
index_sorting: False
index_template:
index_patterns:
- "logs-juniper.srx-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-juniper.srx@package"
- "logs-juniper.srx@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-juniper_srx_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-juniper_srx.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-juniper_srx.log@package"
- "logs-juniper_srx.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-kafka_log_x_generic:
index_sorting: False
index_template:
index_patterns:
- "logs-kafka_log.generic-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-kafka_log.generic@package"
- "logs-kafka_log.generic@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-lastpass_x_detailed_shared_folder:
index_sorting: False
index_template:
index_patterns:
- "logs-lastpass.detailed_shared_folder-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-lastpass.detailed_shared_folder@package"
- "logs-lastpass.detailed_shared_folder@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-lastpass_x_event_report:
index_sorting: False
index_template:
index_patterns:
- "logs-lastpass.event_report-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-lastpass.event_report@package"
- "logs-lastpass.event_report@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-lastpass_x_user:
index_sorting: False
index_template:
index_patterns:
- "logs-lastpass.user-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-lastpass.user@package"
- "logs-lastpass.user@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-m365_defender_x_event:
index_sorting: False
index_template:
index_patterns:
- "logs-m365_defender.event-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-m365_defender.event@package"
- "logs-m365_defender.event@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-m365_defender_x_incident:
index_sorting: False
index_template:
index_patterns:
- "logs-m365_defender.incident-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-m365_defender.incident@package"
- "logs-m365_defender.incident@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-m365_defender_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-m365_defender.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-m365_defender.log@package"
- "logs-m365_defender.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-microsoft_defender_endpoint_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-microsoft_defender_endpoint.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-microsoft_defender_endpoint.log@package"
- "logs-microsoft_defender_endpoint.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-microsoft_dhcp_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-microsoft_dhcp.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-microsoft_dhcp.log@package"
- "logs-microsoft_dhcp.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-netflow_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-netflow.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-netflow.log@package"
- "logs-netflow.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-o365_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-o365.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-o365.audit@package"
- "logs-o365.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-okta_x_system:
index_sorting: False
index_template:
index_patterns:
- "logs-okta.system-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-okta.system@package"
- "logs-okta.system@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-panw_x_panos:
index_sorting: False
index_template:
index_patterns:
- "logs-panw.panos-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-panw.panos@package"
- "logs-panw.panos@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-pfsense_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-pfsense.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-pfsense.log@package"
- "logs-pfsense.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-sentinel_one_x_activity:
index_sorting: False
index_template:
index_patterns:
- "logs-sentinel_one.activity-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-sentinel_one.activity@package"
- "logs-sentinel_one.activity@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-sentinel_one_x_agent:
index_sorting: False
index_template:
index_patterns:
- "logs-sentinel_one.agent-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-sentinel_one.agent@package"
- "logs-sentinel_one.agent@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-sentinel_one_x_alert:
index_sorting: False
index_template:
index_patterns:
- "logs-sentinel_one.alert-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-sentinel_one.alert@package"
- "logs-sentinel_one.alert@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-sentinel_one_x_group:
index_sorting: False
index_template:
index_patterns:
- "logs-sentinel_one.group-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-sentinel_one.group@package"
- "logs-sentinel_one.group@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-sentinel_one_x_threat:
index_sorting: False
index_template:
index_patterns:
- "logs-sentinel_one.threat-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-sentinel_one.threat@package"
- "logs-sentinel_one.threat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-sonicwall_firewall_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-sonicwall_firewall.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-sonicwall_firewall.log@package"
- "logs-sonicwall_firewall.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-symantec_endpoint_x_log:
index_sorting: False
index_template:
index_patterns:
- "logs-symantec_endpoint.log-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-symantec_endpoint.log@package"
- "logs-symantec_endpoint.log@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_abusech_x_malware:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_abusech.malware-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_abusech.malware@package"
- "logs-ti_abusech.malware@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_abusech_x_malwarebazaar:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_abusech.malwarebazaar-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_abusech.malwarebazaar@package"
- "logs-ti_abusech.malwarebazaar@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_abusech_x_threatfox:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_abusech.threatfox-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_abusech.threatfox@package"
- "logs-ti_abusech.threatfox@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_abusech_x_url:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_abusech.url-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_abusech.url@package"
- "logs-ti_abusech.url@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_misp_x_threat:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_misp.threat-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_misp.threat@package"
- "logs-ti_misp.threat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_misp_x_threat_attributes:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_misp.threat_attributes-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_misp.threat_attributes@package"
- "logs-ti_misp.threat_attributes@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_otx_x_threat:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_otx.threat-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_otx.threat@package"
- "logs-ti_otx.threat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_recordedfuture_x_latest_ioc-template:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_recordedfuture.latest_ioc-template-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_recordedfuture.latest_ioc-template@package"
- "logs-ti_recordedfuture.latest_ioc-template@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-ti_recordedfuture_x_threat:
index_sorting: False
index_template:
index_patterns:
- "logs-ti_recordedfuture.threat-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-ti_recordedfuture.threat@package"
- "logs-ti_recordedfuture.threat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zia_x_alerts:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zia.alerts-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zia.alerts@package"
- "logs-zscaler_zia.alerts@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zia_x_dns:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zia.dns-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zia.dns@package"
- "logs-zscaler_zia.dns@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zia_x_firewall:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zia.firewall-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zia.firewall@package"
- "logs-zscaler_zia.firewall@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zia_x_tunnel:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zia.tunnel-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zia.tunnel@package"
- "logs-zscaler_zia.tunnel@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zia_x_web:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zia.web-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zia.web@package"
- "logs-zscaler_zia.web@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zpa_x_app_connector_status:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zpa.app_connector_status-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zpa.app_connector_status@package"
- "logs-zscaler_zpa.app_connector_status@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zpa_x_audit:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zpa.audit-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zpa.audit@package"
- "logs-zscaler_zpa.audit@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zpa_x_browser_access:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zpa.browser_access-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zpa.browser_access@package"
- "logs-zscaler_zpa.browser_access@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zpa_x_user_activity:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zpa.user_activity-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zpa.user_activity@package"
- "logs-zscaler_zpa.user_activity@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-zscaler_zpa_x_user_status:
index_sorting: False
index_template:
index_patterns:
- "logs-zscaler_zpa.user_status-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-zscaler_zpa.user_status@package"
- "logs-zscaler_zpa.user_status@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-1password_x_item_usages:
index_sorting: False
index_template:
index_patterns:
- "logs-1password.item_usages-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-1password.item_usages@package"
- "logs-1password.item_usages@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-1password_x_signin_attempts:
index_sorting: False
index_template:
index_patterns:
- "logs-1password.signin_attempts-*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-1password.signin_attempts@package"
- "logs-1password.signin_attempts@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
so-logs-osquery-manager-actions:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.actions*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.actions"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-osquery-manager-action_x_responses:
index_sorting: False
index_template:
index_patterns:
- ".logs-osquery_manager.action.responses*"
template:
settings:
index:
number_of_replicas: 0
composed_of:
- "logs-osquery_manager.action.responses"
priority: 501
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_apm_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.apm_server-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.apm_server@package"
- "logs-elastic_agent.apm_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_auditbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.auditbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.auditbeat@package"
- "logs-elastic_agent.auditbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_cloudbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.cloudbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.cloudbeat@package"
- "logs-elastic_agent.cloudbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_endpoint_security:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.endpoint_security-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.endpoint_security@package"
- "logs-elastic_agent.endpoint_security@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_alerts:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.alerts-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.alerts@custom"
- "logs-endpoint.alerts@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_api:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.api-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.api@custom"
- "logs-endpoint.events.api@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_file:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.file-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.file@custom"
- "logs-endpoint.events.file@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_library:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.library-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.library@custom"
- "logs-endpoint.events.library@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_network:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.network-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.network@custom"
- "logs-endpoint.events.network@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_process:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.process-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.process@custom"
- "logs-endpoint.events.process@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_registry:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.registry-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.registry@custom"
- "logs-endpoint.events.registry@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-endpoint_x_events_x_security:
index_sorting: False
index_template:
index_patterns:
- "logs-endpoint.events.security-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-endpoint.events.security@custom"
- "logs-endpoint.events.security@package"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_filebeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.filebeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.filebeat@package"
- "logs-elastic_agent.filebeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_fleet_server:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.fleet_server-*"
template:
settings:
index:
number_of_replicas: 0
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.fleet_server@package"
- "logs-elastic_agent.fleet_server@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_heartbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.heartbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.heartbeat@package"
- "logs-elastic_agent.heartbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "event-mappings"
- "logs-elastic_agent@package"
- "logs-elastic_agent@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_metricbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.metricbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.metricbeat@package"
- "logs-elastic_agent.metricbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_osquerybeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.osquerybeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
composed_of:
- "event-mappings"
- "logs-elastic_agent.osquerybeat@package"
- "logs-elastic_agent.osquerybeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-logs-elastic_agent_x_packetbeat:
index_sorting: False
index_template:
index_patterns:
- "logs-elastic_agent.packetbeat-*"
template:
settings:
index:
number_of_replicas: 0
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
mappings:
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
composed_of:
- "logs-elastic_agent.packetbeat@package"
- "logs-elastic_agent.packetbeat@custom"
- "so-fleet_globals-1"
- "so-fleet_agent_id_verification-1"
priority: 501
data_stream:
hidden: false
allow_custom_routing: false
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
_meta:
package:
name: elastic_agent
managed_by: security_onion
managed: true
so-case:
index_sorting: False
index_template:
index_patterns:
- so-case*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 1500
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- case-mappings
- case-settings
priority: 500
so-common:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-*-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
priority: 1
so-endgame:
index_sorting: False
index_template:
index_patterns:
- endgame*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- endgame-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
priority: 500
so-idh:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
index_patterns:
- so-idh-*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
priority: 500
so-suricata:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-suricata-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-suricata-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- suricata-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-import:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-import-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-import-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
- winlog-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-kratos:
warm: 7
close: 30
delete: 365
index_sorting: False
index_template:
data_stream:
hidden: false
allow_custom_routing: false
index_patterns:
- logs-kratos-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- container-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-logstash:
index_sorting: False
index_template:
index_patterns:
- logs-logstash-default*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-logstash-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- logstash-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-redis:
index_sorting: False
index_template:
index_patterns:
- logs-redis-default*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-redis-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- redis-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-strelka:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-strelka-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- so-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- so-scan-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-syslog:
index_sorting: False
index_template:
index_patterns:
- logs-syslog-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 1
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
so-zeek:
index_sorting: False
index_template:
data_stream: {}
index_patterns:
- logs-zeek-so*
template:
mappings:
dynamic_templates:
- strings_as_keyword:
mapping:
ignore_above: 1024
type: keyword
match_mapping_type: string
date_detection: false
settings:
index:
lifecycle:
name: so-zeek-logs
mapping:
total_fields:
limit: 5000
sort:
field: "@timestamp"
order: desc
refresh_interval: 30s
number_of_shards: 2
number_of_replicas: 0
composed_of:
- agent-mappings
- dtc-agent-mappings
- base-mappings
- dtc-base-mappings
- client-mappings
- dtc-client-mappings
- cloud-mappings
- container-mappings
- data_stream-mappings
- destination-mappings
- dtc-destination-mappings
- pb-override-destination-mappings
- dll-mappings
- dns-mappings
- dtc-dns-mappings
- ecs-mappings
- dtc-ecs-mappings
- error-mappings
- event-mappings
- dtc-event-mappings
- file-mappings
- dtc-file-mappings
- group-mappings
- host-mappings
- dtc-host-mappings
- http-mappings
- dtc-http-mappings
- log-mappings
- network-mappings
- dtc-network-mappings
- observer-mappings
- dtc-observer-mappings
- orchestrator-mappings
- organization-mappings
- package-mappings
- process-mappings
- dtc-process-mappings
- registry-mappings
- related-mappings
- rule-mappings
- dtc-rule-mappings
- server-mappings
- service-mappings
- dtc-service-mappings
- source-mappings
- dtc-source-mappings
- pb-override-source-mappings
- syslog-mappings
- dtc-syslog-mappings
- threat-mappings
- tls-mappings
- tracing-mappings
- url-mappings
- user_agent-mappings
- dtc-user_agent-mappings
- vulnerability-mappings
- zeek-mappings
- common-settings
- common-dynamic-mappings
priority: 500
policy:
phases:
hot:
min_age: 0ms
actions:
set_priority:
priority: 100
rollover:
max_age: 30d
max_primary_shard_size: 50gb
cold:
min_age: 30d
actions:
set_priority:
priority: 0
delete:
min_age: 365d
actions:
delete: {}
Reference in New Issue View Git Blame Copy Permalink