CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-04-30 00:17:51 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ed9b74dc330c8b06bb15e75a0aef38b918aad336
securityonion/salt/elasticsearch/templates/so/so-common-template.json.jinja
T
weslambert a90bc9dba9 Add mapping for scan.pe.sections.entropy
2022-01-14 16:58:53 -05:00

1068 lines
24 KiB
Django/Jinja
Raw Blame History

{%- set INDEX_SORTING = salt['pillar.get']('elasticsearch:index_sorting', True) %}
{%- set REPLICAS = salt['pillar.get']('elasticsearch:replicas', 0) %}
{%- set REFRESH = salt['pillar.get']('elasticsearch:index_settings:so-common:refresh', '30s') %}
{
"index_patterns": ["so-*"],
"version":50001,
"order":10,
"settings":{
"number_of_replicas":{{ REPLICAS }},
"number_of_shards":1,
"index.refresh_interval":"{{ REFRESH }}",
"index.routing.allocation.require.box_type":"hot",
"index.mapping.total_fields.limit": "1500",
{%- if INDEX_SORTING is sameas true %}
"index.sort.field": "@timestamp",
"index.sort.order": "desc",
{%- endif %}
"analysis": {
"analyzer": {
"es_security_analyzer": {
"type": "custom",
"char_filter": [ "whitespace_no_way" ],
"filter": [ "lowercase", "trim" ],
"tokenizer": "keyword"
}
},
"char_filter": {
"whitespace_no_way": {
"type": "pattern_replace",
"pattern": "(\\s)+",
"replacement": "$1"
}
},
"filter" : {
"path_hierarchy_pattern_filter": {
"type" : "pattern_capture",
"preserve_original": true,
"patterns": [
"((?:[^\\\\]*\\\\)*)(.*)",
"((?:[^/]*/)*)(.*)"
]
}
},
"tokenizer": {
"path_tokenizer": {
"type": "path_hierarchy",
"delimiter": "\\"
}
}
}
},
"mappings":{
"dynamic":false,
"date_detection":false,
"dynamic_templates": [
{
"ip_address": {
"match_mapping_type": "string",
"path_match": "*.ip",
"mapping": {
"type": "ip",
"fields" : {
"keyword" : {
"ignore_above" : 45,
"type" : "keyword"
}
}
}
}
},
{
"port": {
"path_match": "*.port",
"path_unmatch": "*.data.port",
"mapping": {
"type": "integer",
"fields" : {
"keyword" : {
"ignore_above" : 6,
"type" : "keyword"
}
}
}
}
},
{
"strings": {
"match_mapping_type": "string",
"mapping": {
"type": "text",
"fields": {
"keyword": {
"ignore_above": 32765,
"type": "keyword"
},
"security": {
"type": "text",
"analyzer": "es_security_analyzer"
}
}
}
}
}],
"properties":{
"@timestamp":{
"type":"date"
},
"@version":{
"type":"keyword"
},
"osquery":{
"type":"object",
"dynamic":true
},
"geoip":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"destination_geo":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"source_geo":{
"dynamic":true,
"properties":{
"ip":{
"type":"ip"
},
"location":{
"type":"geo_point"
},
"latitude":{
"type":"half_float"
},
"longitude":{
"type":"half_float"
}
}
},
"agent": {
"type":"object",
"dynamic": true,
"properties": {
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"as":{
"type":"object",
"dynamic": true
},
"alert":{
"type":"object",
"dynamic": true
},
"client":{
"type":"object",
"dynamic": true
},
"cloud":{
"type":"object",
"dynamic": true
},
"code_signature":{
"type":"object",
"dynamic": true
},
"connection":{
"type":"object",
"dynamic": true
},
"container":{
"type":"object",
"dynamic": true
},
"data":{
"type":"object",
"dynamic": true
},
"dce_rpc":{
"type":"object",
"dynamic": true
},
"destination":{
"type":"object",
"dynamic": true
},
"dhcp":{
"type":"object",
"dynamic": true
},
"dnp3":{
"type":"object",
"dynamic": true
},
"dns":{
"type":"object",
"dynamic": true
},
"dll":{
"type":"object",
"dynamic": true
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"error":{
"type":"object",
"dynamic": true
},
"event": {
"properties": {
"acknowledged": {
"type": "boolean",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"dataset": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"duration": {
"type": "long"
},
"end": {
"type": "date"
},
"escalated": {
"type": "boolean",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"original": {
"doc_values": false,
"ignore_above": 1024,
"index": false,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk_score_norm": {
"type": "float"
},
"sequence": {
"type": "long"
},
"severity": {
"type": "long"
},
"severity_label": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"start": {
"type": "date"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"url": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"event_data":{
"type":"object",
"dynamic": true
},
"file":{
"type":"object",
"dynamic": true
},
"flow":{
"type":"object",
"dynamic": true
},
"ftp":{
"type":"object",
"dynamic": true
},
"geo":{
"type":"object",
"dynamic": true
},
"group":{
"type":"object",
"dynamic": true
},
"hash":{
"type":"object",
"dynamic": true
},
"host":{
"type":"object",
"dynamic": true,
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"http":{
"type":"object",
"dynamic": true,
"properties": {
"request": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bytes": {
"type": "long"
},
"method": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"referrer": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"response": {
"properties": {
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"bytes": {
"type": "long"
},
"status_code": {
"type": "long"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"import":{
"type":"object",
"dynamic": true
},
"ingest":{
"type":"object",
"dynamic": true,
"properties":{
"timestamp":{
"type":"date"
}
}
},
"intel":{
"type":"object",
"dynamic": true,
"properties":{
"indicator":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword"
}
}
}
}
},
"interface":{
"type":"object",
"dynamic": true
},
"ip":{
"type":"object",
"dynamic": true
},
"irc":{
"type":"object",
"dynamic": true
},
"kerberos":{
"type":"object",
"dynamic": true
},
"log":{
"type":"object",
"dynamic": true,
"properties": {
"level": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"logscan": {
"type": "object",
"dynamic": true
},
"manager":{
"type":"object",
"dynamic": true
},
"message":{
"type":"text",
"fields":{
"keyword":{
"type":"keyword",
"ignore_above": 32766
}
}
},
"modbus":{
"type":"object",
"dynamic": true
},
"mysql":{
"type":"object",
"dynamic": true
},
"network":{
"type":"object",
"dynamic": true
},
"notice":{
"type":"object",
"dynamic": true
},
"ntlm":{
"type":"object",
"dynamic": true
},
"observer":{
"type":"object",
"dynamic": true
},
"organization":{
"type":"object",
"dynamic": true
},
"os":{
"type":"object",
"dynamic": true
},
"package":{
"type":"object",
"dynamic": true
},
"pe":{
"type":"object",
"dynamic": true
},
"process":{
"type":"object",
"dynamic": true
},
"radius":{
"type":"object",
"dynamic": true
},
"rdp":{
"type":"object",
"dynamic": true
},
"registry":{
"type":"object",
"dynamic": true
},
"related":{
"type":"object",
"dynamic": true
},
"request":{
"type":"object",
"dynamic": true
},
"result":{
"type":"object",
"dynamic": true
},
"rfb":{
"type":"object",
"dynamic": true
},
"rule":{
"type":"object",
"dynamic":true,
"properties":{
"score":{
"type":"long"
},
"uuid":{
"type":"keyword"
}
}
},
"scan":{
"type":"object",
"dynamic": true,
"properties":{
"exiftool":{
"type":"text"
},
"pe":{
"properties":{
"sections":{
"properties":{
"entropy":{
"type": "float"
}
}
}
}
}
}
},
"server":{
"type":"object",
"dynamic": true
},
"service":{
"type":"object",
"dynamic": true,
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"sip":{
"type":"object",
"dynamic": true
},
"smb":{
"type":"object",
"dynamic": true
},
"smtp":{
"type":"object",
"dynamic": true
},
"snmp":{
"type":"object",
"dynamic": true
},
"socks":{
"type":"object",
"dynamic": true
},
"software":{
"type":"object",
"dynamic": true
},
"source":{
"type":"object",
"dynamic": true,
"properties" : {
"address": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
}
}
},
"ssh":{
"type":"object",
"dynamic": true
},
"ssl":{
"type":"object",
"dynamic": true
},
"syslog":{
"type":"object",
"dynamic": true
},
"tags": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"keyword": {
"type": "keyword"
}
}
},
"threat":{
"type":"object",
"dynamic": true
},
"tls":{
"type":"object",
"dynamic": true
},
"trace":{
"type":"object",
"dynamic": true
},
"tunnel":{
"type":"object",
"dynamic": true
},
"user":{
"type":"object",
"dynamic": true
},
"user_agent":{
"type":"object",
"dynamic": true,
"properties": {
"original": {
"fields": {
"keyword": {
"type": "keyword"
},
"text": {
"norms": false,
"type": "text"
}
},
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version":{
"type":"object",
"dynamic": true
},
"vlan":{
"type":"object",
"dynamic": true
},
"vulnerability":{
"type":"object",
"dynamic": true
},
"weird":{
"type":"object",
"dynamic": true
},
"winlog":{
"type":"object",
"dynamic": true,
"properties":{
"event_id":{
"type":"long"
},
"event_data":{
"type":"object"
},
"version":{
"type":"long"
}
}
},
"x509":{
"type":"object",
"dynamic": true
},
"suricata":{
"type":"object",
"dynamic": true
},
"zeek":{
"type":"object",
"dynamic": true
},
"aws":{
"type":"object",
"dynamic": true
},
"azure":{
"type":"object",
"dynamic": true
},
"barracuda":{
"type":"object",
"dynamic": true
},
"bluecoat":{
"type":"object",
"dynamic": true
},
"cef":{
"type":"object",
"dynamic": true
},
"checkpoint":{
"type":"object",
"dynamic": true
},
"cisco":{
"type":"object",
"dynamic": true
},
"cyberark":{
"type":"object",
"dynamic": true
},
"cylance":{
"type":"object",
"dynamic": true
},
"f5":{
"type":"object",
"dynamic": true
},
"fortinet":{
"type":"object",
"dynamic": true
},
"gcp":{
"type":"object",
"dynamic": true
},
"google_workspace":{
"type":"object",
"dynamic": true
},
"imperva":{
"type":"object",
"dynamic": true
},
"infoblox":{
"type":"object",
"dynamic": true
},
"juniper":{
"type":"object",
"dynamic": true
},
"microsoft":{
"type":"object",
"dynamic": true
},
"misp":{
"type":"object",
"dynamic": true
},
"netflow":{
"type":"object",
"dynamic": true
},
"netscout":{
"type":"object",
"dynamic": true
},
"o365":{
"type":"object",
"dynamic": true
},
"okta":{
"type":"object",
"dynamic": true
},
"proofpoint":{
"type":"object",
"dynamic": true
},
"radware":{
"type":"object",
"dynamic": true
},
"snort":{
"type":"object",
"dynamic": true
},
"snyk":{
"type":"object",
"dynamic": true
},
"sonicwall":{
"type":"object",
"dynamic": true
},
"sophos":{
"type":"object",
"dynamic": true
},
"squid":{
"type":"object",
"dynamic": true
},
"tomcat":{
"type":"object",
"dynamic": true
},
"zcaler":{
"type":"object",
"dynamic": true
},
"elasticsearch":{
"type":"object",
"dynamic": true
},
"kibana":{
"type":"object",
"dynamic": true
},
"logstash":{
"type":"object",
"dynamic": true
},
"redis":{
"type":"object",
"dynamic": true
},
"wazuh":{
"type":"object",
"dynamic": true
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink