securityonion/salt/elasticfleet/soc_elasticfleet.yaml

elasticfleet:
  enabled:
    description: Enables or disables the Elastic Fleet process. This process is critical for managing Elastic Agents.
    advanced: True
    helpLink: elastic-fleet.html
  enable_manager_output:
    description: Setting this option to False should only be considered if there is at least one receiver node in the grid. If True, Elastic Agent will send events to the manager and receivers. If False, events will only be send to the receivers.
    advanced: True
    global: True
    forcedType: bool
    helpLink: elastic-fleet.html
  files:
    soc:
      elastic-defend-disabled-filters__yaml:
        title: Disabled Elastic Defend filters
        description: Enter the ID of the filter that should be disabled.
        syntax: yaml
        file: True
        global: True
        helpLink: elastic-fleet.html
        advanced: True
      elastic-defend-custom-filters__yaml:
        title: Custom Elastic Defend filters
        description: Enter custom filters seperated by ---
        syntax: yaml
        file: True
        global: True
        helpLink: elastic-fleet.html
        advanced: True
  logging:
    zeek:
      excluded:
        description: This is a list of Zeek logs that are excluded from being shipped through the data processing pipeline. If you remove a log from this list, Elastic Agent will attempt to process it. If an ingest node pipeline is not available to process the logs, you may experience errors.
        forcedType: "[]string"
        helpLink: zeek.html
  config:
    defend_filters:
      enable_auto_configuration:
        description: Enable auto-configuration and management of the Elastic Defend Exclusion filters.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
    subscription_integrations:
      description: Enable the installation of integrations that require an Elastic license.
      global: True
      forcedType: bool
      helpLink: elastic-fleet.html
    auto_upgrade_integrations:
      description: Enables or disables automatically upgrading Elastic Agent integrations.
      global: True
      forcedType: bool
      helpLink: elastic-fleet.html
    server:
      custom_fqdn:
        description: Custom FQDN for Agents to connect to. One per line.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: "[]string"
      enable_auto_configuration:
        description: Enable auto-configuration of Logstash Outputs & Fleet Host URLs.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
      endpoints_enrollment:
        description: Endpoint enrollment key.
        global: True
        helpLink: elastic-fleet.html
        sensitive: True
        advanced: True
      es_token:
        description: Elastic auth token.
        global: True
        helpLink: elastic-fleet.html
        sensitive: True
        advanced: True
      grid_enrollment:
        description: Grid enrollment key.
        global: True
        helpLink: elastic-fleet.html
        sensitive: True
        advanced: True
  optional_integrations:
    sublime_platform:
      enabled_nodes:
        description: Fleet nodes with the Sublime Platform integration enabled. Enter one per line.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: "[]string"
      api_key:
        description: API key for Sublime Platform.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: string
        sensitive: True
      base_url:
        description: Base URL for Sublime Platform.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: string
      poll_interval:
        description: Poll interval for alerts from Sublime Platform.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: string
      limit:
        description: The maximum number of message groups to return from Sublime Platform.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: int
    kismet:
      base_url:
        description: Base URL for Kismet.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: string
      poll_interval:
        description: Poll interval for wireless device data from Kismet. Integration is currently configured to return devices seen as active by any Kismet sensor within the last 10 minutes.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: string
      api_key:
        description: API key for Kismet.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: string
        sensitive: True
      enabled_nodes:
        description: Fleet nodes with the Kismet integration enabled. Enter one per line.
        global: True
        helpLink: elastic-fleet.html
        advanced: True
        forcedType: "[]string"