diff --git a/elastic/security/README.md b/elastic/security/README.md index 63594859..11af3b14 100644 --- a/elastic/security/README.md +++ b/elastic/security/README.md @@ -101,7 +101,9 @@ The following parameters are available: * `number_of_replicas` (default: 1) - The number of replicas to set per Data Stream. The same value is used for all Data Streams. * `bulk_indexing_clients` (default: 8) - The number of clients issuing indexing requests. * `bulk_size` (default: 50) - The number of documents to send per indexing request. -* `force_merge_max_num_segments` (default: unset): An integer specifying the max amount of segments the force-merge operation should use. Only supported in `security-indexing-querying` track. +* `force_merge_max_num_segments` (default: unset): An integer specifying the max amount of segments the force-merge operation should use. Only supported in `security-indexing-querying` track. +* `logs_endpoint_from_kibana` (default: false): Skip creation of endpoint templates. Used when templates are expected from kibana. +* `include_non_serverless_index_settings` (default: true for non-serverless clusters, false for serverless clusters): Whether to include non-serverless index settings. ### Querying parameters diff --git a/elastic/security/ilm/logs-endpoint.collection-diagnostic.json b/elastic/security/ilm/logs-endpoint.collection-diagnostic.json deleted file mode 100644 index 24f9a3ea..00000000 --- a/elastic/security/ilm/logs-endpoint.collection-diagnostic.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "policy": { - "phases": { - "hot": { - "min_age": "0ms", - "actions": { - "rollover": { - "max_size": "1gb", - "max_age": "7d", - "max_docs": 10000 - } - } - }, - "delete": { - "min_age": "10m", - "actions": { - "delete": { - "delete_searchable_snapshot": true - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} diff --git a/elastic/security/ilm/logs.json b/elastic/security/ilm/logs.json deleted file mode 100644 index f0a1dccc..00000000 --- a/elastic/security/ilm/logs.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "policy": { - "phases": { - "hot": { - "min_age": "0ms", - "actions": { - "rollover": { - "max_primary_shard_size": "50gb", - "max_age": "30d" - } - } - } - }, - "_meta": { - "description": "default policy for the logs index template installed by x-pack", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/.fleet_final_pipeline-1.json b/elastic/security/pipelines/.fleet_final_pipeline-1.json index ff7d6617..448d8e79 100644 --- a/elastic/security/pipelines/.fleet_final_pipeline-1.json +++ b/elastic/security/pipelines/.fleet_final_pipeline-1.json @@ -1,24 +1,17 @@ { - "version": 2, + "version": 4, "_meta": { "managed_by": "fleet", "managed": true }, "description": "Final pipeline for processing all incoming Fleet Agent documents.\n", "processors": [ - { - "set": { - "description": "Add time when event was ingested.", - "field": "event.ingested", - "copy_from": "_ingest.timestamp" - } - }, { "script": { - "description": "Remove sub-seconds from event.ingested to improve storage efficiency.", + "description": "Add time when event was ingested (and remove sub-seconds to improve storage efficiency)", "tag": "truncate-subseconds-event-ingested", - "source": "ctx.event.ingested = ctx.event.ingested.withNano(0).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME);", - "ignore_failure": true + "ignore_failure": true, + "source": "if (ctx?.event == null) {\n ctx.event = [:];\n}\n\nctx.event.ingested = metadata().now.withNano(0).format(DateTimeFormatter.ISO_OFFSET_DATE_TIME);" } }, { @@ -31,6 +24,15 @@ "ignore_missing": true } }, + { + "remove": { + "description": "Remove event.original unless the preserve_original_event tag is set", + "field": "event.original", + "if": "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))", + "ignore_failure": true, + "ignore_missing": true + } + }, { "set_security_user": { "field": "_security", diff --git a/elastic/security/pipelines/logs-endpoint.action.responses-8.2.0.json b/elastic/security/pipelines/logs-endpoint.action.responses-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.action.responses-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.actions-8.2.0.json b/elastic/security/pipelines/logs-endpoint.actions-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.actions-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.alerts-8.2.0.json b/elastic/security/pipelines/logs-endpoint.alerts-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.alerts-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.diagnostic.collection-8.2.0.json b/elastic/security/pipelines/logs-endpoint.diagnostic.collection-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.diagnostic.collection-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.file-8.15.1.json b/elastic/security/pipelines/logs-endpoint.events.file-8.15.1.json new file mode 100644 index 00000000..05d39b67 --- /dev/null +++ b/elastic/security/pipelines/logs-endpoint.events.file-8.15.1.json @@ -0,0 +1,47 @@ +{ + "description": "Pipeline for setting event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{ _ingest.timestamp }}", + "ignore_failure": true + } + }, + { + "pipeline": { + "name": "global@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Global pipeline for all data streams" + } + }, + { + "pipeline": { + "name": "logs@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs`" + } + }, + { + "pipeline": { + "name": "logs-endpoint.integration@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `endpoint` integration" + } + }, + { + "pipeline": { + "name": "logs-endpoint.events.file@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for the `endpoint.events.file` dataset" + } + } + ], + "_meta": { + "managed_by": "fleet", + "managed": true, + "package": { + "name": "endpoint" + } + } +} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.file-8.2.0.json b/elastic/security/pipelines/logs-endpoint.events.file-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.events.file-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.library-8.15.1.json b/elastic/security/pipelines/logs-endpoint.events.library-8.15.1.json new file mode 100644 index 00000000..6c5ce705 --- /dev/null +++ b/elastic/security/pipelines/logs-endpoint.events.library-8.15.1.json @@ -0,0 +1,47 @@ +{ + "description": "Pipeline for setting event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{ _ingest.timestamp }}", + "ignore_failure": true + } + }, + { + "pipeline": { + "name": "global@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Global pipeline for all data streams" + } + }, + { + "pipeline": { + "name": "logs@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs`" + } + }, + { + "pipeline": { + "name": "logs-endpoint.integration@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `endpoint` integration" + } + }, + { + "pipeline": { + "name": "logs-endpoint.events.library@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for the `endpoint.events.library` dataset" + } + } + ], + "_meta": { + "managed_by": "fleet", + "managed": true, + "package": { + "name": "endpoint" + } + } +} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.library-8.2.0.json b/elastic/security/pipelines/logs-endpoint.events.library-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.events.library-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.network-8.2.0.json b/elastic/security/pipelines/logs-endpoint.events.network-8.15.1.json similarity index 83% rename from elastic/security/pipelines/logs-endpoint.events.network-8.2.0.json rename to elastic/security/pipelines/logs-endpoint.events.network-8.15.1.json index 1a1d1515..e93357b2 100644 --- a/elastic/security/pipelines/logs-endpoint.events.network-8.2.0.json +++ b/elastic/security/pipelines/logs-endpoint.events.network-8.15.1.json @@ -117,6 +117,34 @@ "ignore_missing": true, "field": "dns.question.Ext_temp" } + }, + { + "pipeline": { + "name": "global@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Global pipeline for all data streams" + } + }, + { + "pipeline": { + "name": "logs@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs`" + } + }, + { + "pipeline": { + "name": "logs-endpoint.integration@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `endpoint` integration" + } + }, + { + "pipeline": { + "name": "logs-endpoint.events.network@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for the `endpoint.events.network` dataset" + } } ], "_meta": { diff --git a/elastic/security/pipelines/logs-endpoint.events.process-8.15.1.json b/elastic/security/pipelines/logs-endpoint.events.process-8.15.1.json new file mode 100644 index 00000000..9dc860c2 --- /dev/null +++ b/elastic/security/pipelines/logs-endpoint.events.process-8.15.1.json @@ -0,0 +1,47 @@ +{ + "description": "Pipeline for setting event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{ _ingest.timestamp }}", + "ignore_failure": true + } + }, + { + "pipeline": { + "name": "global@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Global pipeline for all data streams" + } + }, + { + "pipeline": { + "name": "logs@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs`" + } + }, + { + "pipeline": { + "name": "logs-endpoint.integration@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `endpoint` integration" + } + }, + { + "pipeline": { + "name": "logs-endpoint.events.process@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for the `endpoint.events.process` dataset" + } + } + ], + "_meta": { + "managed_by": "fleet", + "managed": true, + "package": { + "name": "endpoint" + } + } +} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.process-8.2.0.json b/elastic/security/pipelines/logs-endpoint.events.process-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.events.process-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.registry-8.15.1.json b/elastic/security/pipelines/logs-endpoint.events.registry-8.15.1.json new file mode 100644 index 00000000..8ee5322c --- /dev/null +++ b/elastic/security/pipelines/logs-endpoint.events.registry-8.15.1.json @@ -0,0 +1,47 @@ +{ + "description": "Pipeline for setting event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{ _ingest.timestamp }}", + "ignore_failure": true + } + }, + { + "pipeline": { + "name": "global@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Global pipeline for all data streams" + } + }, + { + "pipeline": { + "name": "logs@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs`" + } + }, + { + "pipeline": { + "name": "logs-endpoint.integration@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `endpoint` integration" + } + }, + { + "pipeline": { + "name": "logs-endpoint.events.registry@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for the `endpoint.events.registry` dataset" + } + } + ], + "_meta": { + "managed_by": "fleet", + "managed": true, + "package": { + "name": "endpoint" + } + } +} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.registry-8.2.0.json b/elastic/security/pipelines/logs-endpoint.events.registry-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.events.registry-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.security-8.15.1.json b/elastic/security/pipelines/logs-endpoint.events.security-8.15.1.json new file mode 100644 index 00000000..2843753d --- /dev/null +++ b/elastic/security/pipelines/logs-endpoint.events.security-8.15.1.json @@ -0,0 +1,47 @@ +{ + "description": "Pipeline for setting event.ingested", + "processors": [ + { + "set": { + "field": "event.ingested", + "value": "{{ _ingest.timestamp }}", + "ignore_failure": true + } + }, + { + "pipeline": { + "name": "global@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Global pipeline for all data streams" + } + }, + { + "pipeline": { + "name": "logs@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs`" + } + }, + { + "pipeline": { + "name": "logs-endpoint.integration@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for all data streams of type `logs` defined by the `endpoint` integration" + } + }, + { + "pipeline": { + "name": "logs-endpoint.events.security@custom", + "ignore_missing_pipeline": true, + "description": "[Fleet] Pipeline for the `endpoint.events.security` dataset" + } + } + ], + "_meta": { + "managed_by": "fleet", + "managed": true, + "package": { + "name": "endpoint" + } + } +} \ No newline at end of file diff --git a/elastic/security/pipelines/logs-endpoint.events.security-8.2.0.json b/elastic/security/pipelines/logs-endpoint.events.security-8.2.0.json deleted file mode 100644 index a3a84d0a..00000000 --- a/elastic/security/pipelines/logs-endpoint.events.security-8.2.0.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "description": "Pipeline for setting event.ingested", - "processors": [ - { - "set": { - "field": "event.ingested", - "value": "{{ _ingest.timestamp }}", - "ignore_failure": true - } - } - ], - "_meta": { - "managed_by": "fleet", - "managed": true, - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/tasks/index-setup.json b/elastic/security/tasks/index-setup.json index ff4becbd..b130f781 100644 --- a/elastic/security/tasks/index-setup.json +++ b/elastic/security/tasks/index-setup.json @@ -47,12 +47,16 @@ "operation": { "operation-type": "create-composable-template", "param-source": "composable-template-source", + {# non-serverless-index-settings-marker-start #}{%- if build_flavor != "serverless" or serverless_operator == true -%} + {% if p_include_non_serverless_index_settings %} "settings": { "index": { "number_of_shards": {{ p_number_of_shards }}, "number_of_replicas": {{ p_number_of_replicas }} } }, + {% endif %} + {%- endif -%}{# non-serverless-index-settings-marker-end #} "remove-routing-shards": true, "remove-pipelines": false } diff --git a/elastic/security/templates/component/.fleet_component_template-1.json b/elastic/security/templates/component/.fleet_component_template-1.json deleted file mode 100644 index 571aad3e..00000000 --- a/elastic/security/templates/component/.fleet_component_template-1.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "template": { - "settings": { - "index": { - "final_pipeline": ".fleet_final_pipeline-1" - } - }, - "mappings": { - "properties": { - "event": { - "properties": { - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "format": "strict_date_time_no_millis||strict_date_optional_time||epoch_millis", - "type": "date" - } - } - } - } - } - }, - "_meta": {} -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.alerts@custom.json b/elastic/security/templates/component/logs-endpoint.alerts@custom.json deleted file mode 100644 index 1fee45a1..00000000 --- a/elastic/security/templates/component/logs-endpoint.alerts@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.alerts@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.file@custom.json b/elastic/security/templates/component/logs-endpoint.events.file@custom.json deleted file mode 100644 index 9bcf845f..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.file@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.events.file@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.file@mappings.json b/elastic/security/templates/component/logs-endpoint.events.file@mappings.json deleted file mode 100644 index e7c8856c..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.file@mappings.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "mappings": { - "dynamic": false - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.file@package.json b/elastic/security/templates/component/logs-endpoint.events.file@package.json index 9acdfaf5..406d28f6 100644 --- a/elastic/security/templates/component/logs-endpoint.events.file@package.json +++ b/elastic/security/templates/component/logs-endpoint.events.file@package.json @@ -11,130 +11,11 @@ {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} "lifecycle": {}, {%- endif -%} - "codec": "best_compression", + "default_pipeline": "logs-endpoint.events.file-8.15.1", "mapping": { "total_fields": { - "limit": "10000" + "limit": "1000" } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.Ext.correlation.id", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "file.Ext.header_bytes", - "file.Ext.header_data", - "file.Ext.malware_signature.all_names", - "file.Ext.malware_signature.identifier", - "file.Ext.malware_signature.primary.signature.hash.sha256", - "file.Ext.malware_signature.primary.signature.id", - "file.Ext.malware_signature.primary.signature.name", - "file.Ext.malware_signature.version", - "file.Ext.original.gid", - "file.Ext.original.group", - "file.Ext.original.mode", - "file.Ext.original.name", - "file.Ext.original.owner", - "file.Ext.original.path", - "file.Ext.original.uid", - "file.Ext.windows.zone_identifier", - "file.attributes", - "file.device", - "file.directory", - "file.drive_letter", - "file.extension", - "file.gid", - "file.group", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.inode", - "file.mime_type", - "file.mode", - "file.name", - "file.owner", - "file.path", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "file.target_path", - "file.type", - "file.uid", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] } } }, @@ -164,31 +45,98 @@ "ancestry": { "ignore_above": 1024, "type": "keyword" + }, + "code_signature": { + "type": "nested", + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, - "name": { - "ignore_above": 1024, - "type": "keyword", - "fields": { - "caseless": { - "normalizer": "lowercase", + "parent": { + "properties": { + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid": { + "type": "long" + }, + "entity_id": { "ignore_above": 1024, "type": "keyword" - }, - "text": { - "type": "text" } } }, - "pid": { - "type": "long" + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "args_count": { + "pid": { "type": "long" }, "thread": { "properties": { + "Ext": { + "properties": { + "call_stack_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_stack": { + "properties": { + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_trailing_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_leading_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocation_private_bytes": { + "type": "unsigned_long" + } + }, + "enabled": true + }, + "hardware_breakpoint_set": { + "type": "boolean" + } + } + }, "id": { "type": "long" } @@ -214,6 +162,76 @@ }, "ppid": { "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "entry_leader": { + "properties": { + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "caseless": { + "normalizer": "lowercase", + "ignore_above": 1024, + "type": "keyword" + }, + "text": { + "type": "text" + } + } + }, + "args_count": { + "type": "long" } } }, @@ -320,9 +338,36 @@ } }, "message": { - "type": "text" + "type": "match_only_text" + }, + "Persistence": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "keepalive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "runatload": { + "type": "boolean" + } + } }, "@timestamp": { + "ignore_malformed": false, "type": "date" }, "file": { @@ -401,6 +446,10 @@ "ignore_above": 1024, "type": "keyword" }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, "gid": { "ignore_above": 1024, "type": "keyword" @@ -427,15 +476,47 @@ } } }, + "device": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "volume_device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "monotonic_id": { "type": "unsigned_long" } } }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, "extension": { "ignore_above": 1024, "type": "keyword" @@ -448,9 +529,6 @@ "ignore_above": 1, "type": "keyword" }, - "created": { - "type": "date" - }, "accessed": { "type": "date" }, @@ -465,7 +543,15 @@ "ignore_above": 1024, "type": "keyword" }, - "target_path": { + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { "ignore_above": 1024, "type": "keyword", "fields": { @@ -479,15 +565,33 @@ } } }, - "inode": { + "uid": { "ignore_above": 1024, "type": "keyword" }, - "mode": { + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "ctime": { + "type": "date" + }, + "group": { "ignore_above": 1024, "type": "keyword" }, - "path": { + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "target_path": { "ignore_above": 1024, "type": "keyword", "fields": { @@ -501,10 +605,6 @@ } } }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, "size": { "type": "long" }, @@ -544,9 +644,6 @@ "ignore_above": 1024, "type": "keyword" }, - "ctime": { - "type": "date" - }, "attributes": { "ignore_above": 1024, "type": "keyword" @@ -574,10 +671,6 @@ "type": "keyword" } } - }, - "group": { - "ignore_above": 1024, - "type": "keyword" } } }, @@ -589,6 +682,25 @@ } } }, + "Effective_process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "data_stream": { "properties": { "namespace": { @@ -640,6 +752,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -791,7 +907,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -804,7 +920,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, diff --git a/elastic/security/templates/component/logs-endpoint.events.file@settings.json b/elastic/security/templates/component/logs-endpoint.events.file@settings.json deleted file mode 100644 index 29299dee..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.file@settings.json +++ /dev/null @@ -1,145 +0,0 @@ -{ - "template": { - "settings": { - "index": { - {% if lifecycle == "ilm" or (not lifecycle and build_flavor == "default") %} - "lifecycle": { - "name": "logs" - }, - {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} - "lifecycle": {}, - {%- endif -%} - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.Ext.correlation.id", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "file.Ext.header_bytes", - "file.Ext.header_data", - "file.Ext.malware_signature.all_names", - "file.Ext.malware_signature.identifier", - "file.Ext.malware_signature.primary.signature.hash.sha256", - "file.Ext.malware_signature.primary.signature.id", - "file.Ext.malware_signature.primary.signature.name", - "file.Ext.malware_signature.version", - "file.Ext.original.gid", - "file.Ext.original.group", - "file.Ext.original.mode", - "file.Ext.original.name", - "file.Ext.original.owner", - "file.Ext.original.path", - "file.Ext.original.uid", - "file.Ext.windows.zone_identifier", - "file.attributes", - "file.device", - "file.directory", - "file.drive_letter", - "file.extension", - "file.gid", - "file.group", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.inode", - "file.mime_type", - "file.mode", - "file.name", - "file.owner", - "file.path", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "file.target_path", - "file.type", - "file.uid", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.library@custom.json b/elastic/security/templates/component/logs-endpoint.events.library@custom.json deleted file mode 100644 index 0e531b62..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.library@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.events.library@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.library@mappings.json b/elastic/security/templates/component/logs-endpoint.events.library@mappings.json deleted file mode 100644 index e7c8856c..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.library@mappings.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "mappings": { - "dynamic": false - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.library@package.json b/elastic/security/templates/component/logs-endpoint.events.library@package.json index b541ab25..957b00b8 100644 --- a/elastic/security/templates/component/logs-endpoint.events.library@package.json +++ b/elastic/security/templates/component/logs-endpoint.events.library@package.json @@ -11,130 +11,11 @@ {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} "lifecycle": {}, {%- endif -%} - "codec": "best_compression", + "default_pipeline": "logs-endpoint.events.library-8.15.1", "mapping": { "total_fields": { - "limit": "10000" + "limit": "1000" } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "dll.Ext.code_signature.status", - "dll.Ext.code_signature.subject_name", - "dll.Ext.defense_evasions", - "dll.code_signature.signing_id", - "dll.code_signature.status", - "dll.code_signature.subject_name", - "dll.code_signature.team_id", - "dll.hash.md5", - "dll.hash.sha1", - "dll.hash.sha256", - "dll.hash.sha512", - "dll.name", - "dll.path", - "dll.pe.company", - "dll.pe.description", - "dll.pe.file_version", - "dll.pe.imphash", - "dll.pe.original_file_name", - "dll.pe.product", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "file.Ext.code_signature.status", - "file.Ext.code_signature.subject_name", - "file.code_signature.signing_id", - "file.code_signature.status", - "file.code_signature.subject_name", - "file.code_signature.team_id", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.Ext.code_signature.status", - "process.Ext.code_signature.subject_name", - "process.code_signature.signing_id", - "process.code_signature.status", - "process.code_signature.subject_name", - "process.code_signature.team_id", - "process.entity_id", - "process.executable", - "process.name", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] } } }, @@ -186,6 +67,10 @@ "type": "keyword" } } + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -237,6 +122,41 @@ }, "thread": { "properties": { + "Ext": { + "properties": { + "call_stack_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_stack": { + "properties": { + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_trailing_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_leading_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocation_private_bytes": { + "type": "unsigned_long" + } + }, + "enabled": true + }, + "hardware_breakpoint_set": { + "type": "boolean" + } + } + }, "id": { "type": "long" } @@ -292,8 +212,53 @@ } } }, + "size": { + "type": "unsigned_long" + }, + "relative_file_creation_time": { + "type": "double" + }, "load_index": { "type": "unsigned_long" + }, + "device": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "volume_device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "relative_file_name_modify_time": { + "type": "double" } } }, @@ -487,9 +452,10 @@ } }, "message": { - "type": "text" + "type": "match_only_text" }, "@timestamp": { + "ignore_malformed": false, "type": "date" }, "file": { @@ -625,6 +591,25 @@ } } }, + "Effective_process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "data_stream": { "properties": { "namespace": { @@ -676,6 +661,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -815,7 +804,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -828,7 +817,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, diff --git a/elastic/security/templates/component/logs-endpoint.events.library@settings.json b/elastic/security/templates/component/logs-endpoint.events.library@settings.json deleted file mode 100644 index 22b0c1ab..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.library@settings.json +++ /dev/null @@ -1,135 +0,0 @@ -{ - "template": { - "settings": { - "index": { - {% if lifecycle == "ilm" or (not lifecycle and build_flavor == "default") %} - "lifecycle": { - "name": "logs" - }, - {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} - "lifecycle": {}, - {%- endif -%} - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "dll.Ext.code_signature.status", - "dll.Ext.code_signature.subject_name", - "dll.Ext.defense_evasions", - "dll.code_signature.signing_id", - "dll.code_signature.status", - "dll.code_signature.subject_name", - "dll.code_signature.team_id", - "dll.hash.md5", - "dll.hash.sha1", - "dll.hash.sha256", - "dll.hash.sha512", - "dll.name", - "dll.path", - "dll.pe.company", - "dll.pe.description", - "dll.pe.file_version", - "dll.pe.imphash", - "dll.pe.original_file_name", - "dll.pe.product", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "file.Ext.code_signature.status", - "file.Ext.code_signature.subject_name", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.hash.sha512", - "file.name", - "file.path", - "file.pe.company", - "file.pe.description", - "file.pe.file_version", - "file.pe.imphash", - "file.pe.original_file_name", - "file.pe.product", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.network@custom.json b/elastic/security/templates/component/logs-endpoint.events.network@custom.json deleted file mode 100644 index 37131af8..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.network@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.events.network@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.network@mappings.json b/elastic/security/templates/component/logs-endpoint.events.network@mappings.json deleted file mode 100644 index e7c8856c..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.network@mappings.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "mappings": { - "dynamic": false - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.network@package.json b/elastic/security/templates/component/logs-endpoint.events.network@package.json index 201be000..bc94be10 100644 --- a/elastic/security/templates/component/logs-endpoint.events.network@package.json +++ b/elastic/security/templates/component/logs-endpoint.events.network@package.json @@ -11,112 +11,11 @@ {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} "lifecycle": {}, {%- endif -%} - "codec": "best_compression", + "default_pipeline": "logs-endpoint.events.network-8.15.1", "mapping": { "total_fields": { - "limit": "10000" + "limit": "1000" } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.address", - "destination.as.organization.name", - "destination.domain", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "destination.registered_domain", - "destination.top_level_domain", - "dns.Ext.options", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "http.request.body.content", - "http.response.Ext.version", - "http.response.body.content", - "network.community_id", - "network.direction", - "network.iana_number", - "network.protocol", - "network.transport", - "network.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.address", - "source.as.organization.name", - "source.domain", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "source.registered_domain", - "source.top_level_domain", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] } } }, @@ -146,6 +45,105 @@ "ancestry": { "ignore_above": 1024, "type": "keyword" + }, + "code_signature": { + "type": "nested", + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "parent": { + "properties": { + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "entry_leader": { + "properties": { + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -254,7 +252,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } } @@ -395,7 +393,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } } @@ -434,7 +432,7 @@ } }, "message": { - "type": "text" + "type": "match_only_text" }, "network": { "properties": { @@ -471,6 +469,7 @@ } }, "@timestamp": { + "ignore_malformed": false, "type": "date" }, "ecs": { @@ -532,6 +531,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -602,10 +605,10 @@ }, "content": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } } @@ -636,10 +639,10 @@ }, "content": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } } @@ -732,7 +735,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -745,7 +748,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, diff --git a/elastic/security/templates/component/logs-endpoint.events.network@settings.json b/elastic/security/templates/component/logs-endpoint.events.network@settings.json deleted file mode 100644 index d70ad22b..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.network@settings.json +++ /dev/null @@ -1,125 +0,0 @@ -{ - "template": { - "settings": { - "index": { - {% if lifecycle == "ilm" or (not lifecycle and build_flavor == "default") %} - "lifecycle": { - "name": "logs" - }, - {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} - "lifecycle": {}, - {%- endif -%} - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.address", - "destination.domain", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "destination.registered_domain", - "destination.top_level_domain", - "dns.Ext.options", - "dns.question.name", - "dns.question.registered_domain", - "dns.question.subdomain", - "dns.question.top_level_domain", - "dns.question.type", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "http.request.body.content", - "http.response.Ext.version", - "http.response.body.content", - "network.community_id", - "network.direction", - "network.iana_number", - "network.protocol", - "network.transport", - "network.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.address", - "source.domain", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "source.registered_domain", - "source.top_level_domain", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.process@custom.json b/elastic/security/templates/component/logs-endpoint.events.process@custom.json deleted file mode 100644 index f28d836e..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.process@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.events.process@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.process@mappings.json b/elastic/security/templates/component/logs-endpoint.events.process@mappings.json deleted file mode 100644 index e7c8856c..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.process@mappings.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "mappings": { - "dynamic": false - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.process@package.json b/elastic/security/templates/component/logs-endpoint.events.process@package.json index 736babfd..88fb1cad 100644 --- a/elastic/security/templates/component/logs-endpoint.events.process@package.json +++ b/elastic/security/templates/component/logs-endpoint.events.process@package.json @@ -11,257 +11,49 @@ {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} "lifecycle": {}, {%- endif -%} - "codec": "best_compression", + "default_pipeline": "logs-endpoint.events.process-8.15.1", "mapping": { "total_fields": { "limit": "10000" } - }, - "query": { - "default_field": [ - "message", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.boot.id", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.pid_ns_ino", - "host.type", - "package.name", - "process.Ext.ancestry", - "process.Ext.architecture", - "process.Ext.authentication_id", - "process.Ext.code_signature.status", - "process.Ext.code_signature.subject_name", - "process.Ext.defense_evasions", - "process.Ext.dll.Ext.code_signature.status", - "process.Ext.dll.Ext.code_signature.subject_name", - "process.Ext.dll.name", - "process.Ext.dll.path", - "process.Ext.dll.code_signature.signing_id", - "process.Ext.dll.code_signature.status", - "process.Ext.dll.code_signature.subject_name", - "process.Ext.dll.code_signature.team_id", - "process.Ext.protection", - "process.Ext.session", - "process.Ext.token.elevation_level", - "process.Ext.token.elevation_type", - "process.Ext.token.integrity_level_name", - "process.Ext.token.security_attributes", - "process.args", - "process.code_signature.signing_id", - "process.code_signature.status", - "process.code_signature.subject_name", - "process.code_signature.team_id", - "process.command_line", - "process.entity_id", - "process.entry_leader.args", - "process.entry_leader.command_line", - "process.entry_leader.entity_id", - "process.entry_leader.entry_meta.type", - "process.entry_leader.executable", - "process.entry_leader.group.id", - "process.entry_leader.group.name", - "process.entry_leader.name", - "process.entry_leader.parent.entity_id", - "process.entry_leader.parent.session_leader.entity_id", - "process.entry_leader.real_group.id", - "process.entry_leader.real_group.name", - "process.entry_leader.real_user.id", - "process.entry_leader.real_user.name", - "process.entry_leader.saved_group.id", - "process.entry_leader.saved_group.name", - "process.entry_leader.saved_user.id", - "process.entry_leader.saved_user.name", - "process.entry_leader.supplemental_groups.id", - "process.entry_leader.supplemental_groups.name", - "process.entry_leader.user.id", - "process.entry_leader.user.name", - "process.entry_leader.working_directory", - "process.executable", - "process.group_leader.args", - "process.group_leader.command_line", - "process.group_leader.entity_id", - "process.group_leader.executable", - "process.group_leader.group.id", - "process.group_leader.group.name", - "process.group_leader.name", - "process.group_leader.real_group.id", - "process.group_leader.real_group.name", - "process.group_leader.real_user.id", - "process.group_leader.real_user.name", - "process.group_leader.saved_group.id", - "process.group_leader.saved_group.name", - "process.group_leader.saved_user.id", - "process.group_leader.saved_user.name", - "process.group_leader.supplemental_groups.id", - "process.group_leader.supplemental_groups.name", - "process.group_leader.user.id", - "process.group_leader.user.name", - "process.group_leader.working_directory", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.Ext.architecture", - "process.parent.Ext.code_signature.status", - "process.parent.Ext.code_signature.subject_name", - "process.parent.Ext.protection", - "process.parent.Ext.user", - "process.parent.args", - "process.parent.code_signature.signing_id", - "process.parent.code_signature.status", - "process.parent.code_signature.subject_name", - "process.parent.code_signature.team_id", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.group.id", - "process.parent.group.name", - "process.parent.group_leader.entity_id", - "process.parent.hash.md5", - "process.parent.hash.sha1", - "process.parent.hash.sha256", - "process.parent.hash.sha512", - "process.parent.name", - "process.parent.pe.company", - "process.parent.pe.description", - "process.parent.pe.file_version", - "process.parent.pe.imphash", - "process.parent.pe.original_file_name", - "process.parent.pe.product", - "process.parent.real_group.id", - "process.parent.real_group.name", - "process.parent.real_user.id", - "process.parent.real_user.name", - "process.parent.saved_group.id", - "process.parent.saved_group.name", - "process.parent.saved_user.id", - "process.parent.saved_user.name", - "process.parent.supplemental_groups.id", - "process.parent.supplemental_groups.name", - "process.parent.thread.name", - "process.parent.title", - "process.parent.user.id", - "process.parent.user.name", - "process.parent.working_directory", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.previous.args", - "process.previous.executable", - "process.real_group.id", - "process.real_group.name", - "process.real_user.id", - "process.real_user.name", - "process.saved_group.id", - "process.saved_group.name", - "process.saved_user.id", - "process.saved_user.name", - "process.session_leader.args", - "process.session_leader.command_line", - "process.session_leader.entity_id", - "process.session_leader.executable", - "process.session_leader.group.id", - "process.session_leader.group.name", - "process.session_leader.name", - "process.session_leader.parent.entity_id", - "process.session_leader.parent.session_leader.entity_id", - "process.session_leader.real_group.id", - "process.session_leader.real_group.name", - "process.session_leader.real_user.id", - "process.session_leader.real_user.name", - "process.session_leader.saved_group.id", - "process.session_leader.saved_group.name", - "process.session_leader.saved_user.id", - "process.session_leader.saved_user.name", - "process.session_leader.supplemental_groups.id", - "process.session_leader.supplemental_groups.name", - "process.session_leader.user.id", - "process.session_leader.user.name", - "process.session_leader.working_directory", - "process.supplemental_groups.id", - "process.supplemental_groups.name", - "process.thread.name", - "process.title", - "process.user.id", - "process.user.name", - "process.working_directory", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] } } }, "mappings": { "dynamic": false, "properties": { + "container": { + "properties": { + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "agent": { "properties": { "name": { @@ -294,58 +86,53 @@ "ignore_above": 1024, "type": "keyword" }, + "mitigation_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted_descendant": { + "type": "boolean" + }, "ancestry": { "ignore_above": 1024, "type": "keyword" }, - "code_signature": { - "type": "nested", + "session_info": { "properties": { - "valid": { - "type": "boolean" + "authentication_package": { + "ignore_above": 1024, + "type": "keyword" }, - "trusted": { - "type": "boolean" + "relative_password_age": { + "type": "double" }, - "subject_name": { + "user_flags": { "ignore_above": 1024, "type": "keyword" }, - "exists": { - "type": "boolean" + "relative_logon_time": { + "type": "double" }, - "status": { + "client_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "type": "unsigned_long" + }, + "logon_type": { "ignore_above": 1024, "type": "keyword" } } }, + "created_suspended": { + "type": "boolean" + }, "dll": { "properties": { "Ext": { "properties": { - "code_signature": { - "type": "nested", - "properties": { - "valid": { - "type": "boolean" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "mapped_address": { "type": "unsigned_long" }, @@ -358,41 +145,15 @@ "ignore_above": 1024, "type": "keyword" }, - "code_signature": { - "properties": { - "valid": { - "type": "boolean" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "name": { "ignore_above": 1024, "type": "keyword" } } }, + "relative_file_creation_time": { + "type": "double" + }, "session": { "ignore_above": 1024, "type": "keyword" @@ -405,9 +166,8 @@ "ignore_above": 1024, "type": "keyword" }, - "architecture": { - "ignore_above": 1024, - "type": "keyword" + "relative_file_name_modify_time": { + "type": "double" }, "token": { "properties": { @@ -431,6 +191,90 @@ "type": "keyword" } } + }, + "code_signature": { + "type": "nested", + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trusted": { + "type": "boolean" + }, + "effective_parent": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "volume_device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "architecture": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -488,7 +332,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -523,7 +367,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -587,7 +431,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -619,6 +463,44 @@ }, "thread": { "properties": { + "Ext": { + "properties": { + "call_stack_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_stack_contains_unbacked": { + "type": "boolean" + }, + "call_stack": { + "properties": { + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_trailing_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_leading_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocation_private_bytes": { + "type": "unsigned_long" + } + }, + "enabled": true + }, + "hardware_breakpoint_set": { + "type": "boolean" + } + } + }, "name": { "ignore_above": 1024, "type": "keyword" @@ -737,7 +619,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -749,7 +631,7 @@ }, "command_line": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "caseless": { "normalizer": "lowercase", @@ -802,7 +684,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -837,7 +719,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -882,6 +764,21 @@ } } }, + "end": { + "type": "date" + }, + "group": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "saved_user": { "properties": { "name": { @@ -889,7 +786,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -908,7 +805,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -925,7 +822,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1045,7 +942,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1057,7 +954,7 @@ }, "command_line": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "caseless": { "normalizer": "lowercase", @@ -1120,6 +1017,23 @@ } } }, + "io": { + "properties": { + "total_bytes_captured": { + "type": "long" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "total_bytes_skipped": { + "type": "long" + }, + "text": { + "ignore_above": 1024, + "type": "wildcard" + } + } + }, "pgid": { "type": "long" }, @@ -1128,6 +1042,18 @@ }, "thread": { "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "name": { "ignore_above": 1024, "type": "keyword" @@ -1156,7 +1082,8 @@ } }, "env_vars": { - "type": "object" + "ignore_above": 1024, + "type": "keyword" }, "ppid": { "type": "long" @@ -1205,7 +1132,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1222,7 +1149,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1342,7 +1269,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1354,7 +1281,7 @@ }, "command_line": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "caseless": { "normalizer": "lowercase", @@ -1429,7 +1356,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1446,7 +1373,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1516,6 +1443,31 @@ "ignore_above": 1024, "type": "keyword" }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "name": { "ignore_above": 1024, "type": "keyword", @@ -1581,7 +1533,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1593,7 +1545,7 @@ }, "command_line": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "caseless": { "normalizer": "lowercase", @@ -1678,6 +1630,9 @@ }, "tty": { "properties": { + "columns": { + "type": "long" + }, "char_device": { "properties": { "major": { @@ -1687,6 +1642,9 @@ "type": "long" } } + }, + "rows": { + "type": "long" } } }, @@ -1712,7 +1670,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -1724,7 +1682,7 @@ }, "command_line": { "ignore_above": 1024, - "type": "keyword", + "type": "wildcard", "fields": { "caseless": { "normalizer": "lowercase", @@ -1881,9 +1839,89 @@ } }, "message": { - "type": "text" + "type": "match_only_text" + }, + "cloud": { + "properties": { + "instance": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "orchestrator": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "@timestamp": { + "ignore_malformed": false, "type": "date" }, "ecs": { @@ -1945,6 +1983,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -2096,7 +2138,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -2109,7 +2151,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, diff --git a/elastic/security/templates/component/logs-endpoint.events.process@settings.json b/elastic/security/templates/component/logs-endpoint.events.process@settings.json deleted file mode 100644 index 3edcc01a..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.process@settings.json +++ /dev/null @@ -1,162 +0,0 @@ -{ - "template": { - "settings": { - "index": { - {% if lifecycle == "ilm" or (not lifecycle and build_flavor == "default") %} - "lifecycle": { - "name": "logs" - }, - {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} - "lifecycle": {}, - {%- endif -%} - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "package.name", - "process.Ext.ancestry", - "process.Ext.architecture", - "process.Ext.authentication_id", - "process.Ext.code_signature.status", - "process.Ext.code_signature.subject_name", - "process.Ext.defense_evasions", - "process.Ext.dll.name", - "process.Ext.dll.path", - "process.Ext.protection", - "process.Ext.session", - "process.Ext.token.elevation_level", - "process.Ext.token.elevation_type", - "process.Ext.token.integrity_level_name", - "process.Ext.token.security_attributes", - "process.args", - "process.code_signature.signing_id", - "process.code_signature.status", - "process.code_signature.subject_name", - "process.code_signature.team_id", - "process.command_line", - "process.entity_id", - "process.executable", - "process.hash.md5", - "process.hash.sha1", - "process.hash.sha256", - "process.hash.sha512", - "process.name", - "process.parent.Ext.architecture", - "process.parent.Ext.code_signature.status", - "process.parent.Ext.code_signature.subject_name", - "process.parent.Ext.protection", - "process.parent.Ext.user", - "process.parent.args", - "process.parent.code_signature.signing_id", - "process.parent.code_signature.status", - "process.parent.code_signature.subject_name", - "process.parent.code_signature.team_id", - "process.parent.command_line", - "process.parent.entity_id", - "process.parent.executable", - "process.parent.hash.md5", - "process.parent.hash.sha1", - "process.parent.hash.sha256", - "process.parent.hash.sha512", - "process.parent.name", - "process.parent.pe.company", - "process.parent.pe.description", - "process.parent.pe.file_version", - "process.parent.pe.imphash", - "process.parent.pe.original_file_name", - "process.parent.pe.product", - "process.parent.thread.name", - "process.parent.title", - "process.parent.working_directory", - "process.pe.company", - "process.pe.description", - "process.pe.file_version", - "process.pe.imphash", - "process.pe.original_file_name", - "process.pe.product", - "process.thread.name", - "process.title", - "process.working_directory", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.registry@custom.json b/elastic/security/templates/component/logs-endpoint.events.registry@custom.json deleted file mode 100644 index ae6985f8..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.registry@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.events.registry@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.registry@mappings.json b/elastic/security/templates/component/logs-endpoint.events.registry@mappings.json deleted file mode 100644 index e7c8856c..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.registry@mappings.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "mappings": { - "dynamic": false - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.registry@package.json b/elastic/security/templates/component/logs-endpoint.events.registry@package.json index ad15252e..eb6bf7c4 100644 --- a/elastic/security/templates/component/logs-endpoint.events.registry@package.json +++ b/elastic/security/templates/component/logs-endpoint.events.registry@package.json @@ -11,94 +11,11 @@ {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} "lifecycle": {}, {%- endif -%} - "codec": "best_compression", + "default_pipeline": "logs-endpoint.events.registry-8.15.1", "mapping": { "total_fields": { - "limit": "10000" + "limit": "1000" } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "registry.data.bytes", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] } } }, @@ -119,7 +36,7 @@ "properties": { "strings": { "ignore_above": 1024, - "type": "keyword" + "type": "wildcard" }, "bytes": { "ignore_above": 1024, @@ -164,6 +81,57 @@ "ancestry": { "ignore_above": 1024, "type": "keyword" + }, + "code_signature": { + "type": "nested", + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -186,6 +154,41 @@ }, "thread": { "properties": { + "Ext": { + "properties": { + "call_stack_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_stack": { + "properties": { + "symbol_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_trailing_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection": { + "ignore_above": 1024, + "type": "keyword" + }, + "callsite_leading_bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocation_private_bytes": { + "type": "unsigned_long" + } + }, + "enabled": true + }, + "hardware_breakpoint_set": { + "type": "boolean" + } + } + }, "id": { "type": "long" } @@ -314,9 +317,10 @@ } }, "message": { - "type": "text" + "type": "match_only_text" }, "@timestamp": { + "ignore_malformed": false, "type": "date" }, "ecs": { @@ -327,6 +331,25 @@ } } }, + "Effective_process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "data_stream": { "properties": { "namespace": { @@ -378,6 +401,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -517,7 +544,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -530,7 +557,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, diff --git a/elastic/security/templates/component/logs-endpoint.events.registry@settings.json b/elastic/security/templates/component/logs-endpoint.events.registry@settings.json deleted file mode 100644 index 8cd3ea68..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.registry@settings.json +++ /dev/null @@ -1,109 +0,0 @@ -{ - "template": { - "settings": { - "index": { - {% if lifecycle == "ilm" or (not lifecycle and build_flavor == "default") %} - "lifecycle": { - "name": "logs" - }, - {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} - "lifecycle": {}, - {%- endif -%} - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "registry.data.bytes", - "registry.data.strings", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.value", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.security@custom.json b/elastic/security/templates/component/logs-endpoint.events.security@custom.json deleted file mode 100644 index 6d8e9e81..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.security@custom.json +++ /dev/null @@ -1,15 +0,0 @@ -{ - "name": "logs-endpoint.events.security@custom", - "component_template": { - "template": { - "settings": {} - }, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.security@mappings.json b/elastic/security/templates/component/logs-endpoint.events.security@mappings.json deleted file mode 100644 index e7c8856c..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.security@mappings.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "template": { - "mappings": { - "dynamic": false - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/component/logs-endpoint.events.security@package.json b/elastic/security/templates/component/logs-endpoint.events.security@package.json index 5bd1fecf..8f9d9b72 100644 --- a/elastic/security/templates/component/logs-endpoint.events.security@package.json +++ b/elastic/security/templates/component/logs-endpoint.events.security@package.json @@ -11,87 +11,11 @@ {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} "lifecycle": {}, {%- endif -%} - "codec": "best_compression", + "default_pipeline": "logs-endpoint.events.security-8.15.1", "mapping": { "total_fields": { - "limit": "10000" + "limit": "1000" } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] } } }, @@ -121,6 +45,57 @@ "ancestry": { "ignore_above": 1024, "type": "keyword" + }, + "code_signature": { + "type": "nested", + "properties": { + "valid": { + "type": "boolean" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "code_signature": { + "properties": { + "valid": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -169,6 +144,7 @@ } }, "@timestamp": { + "ignore_malformed": false, "type": "date" }, "ecs": { @@ -281,6 +257,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -389,7 +369,7 @@ } }, "message": { - "type": "text" + "type": "match_only_text" }, "event": { "properties": { @@ -469,12 +449,50 @@ } } }, + "effective": { + "properties": { + "full_name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword", + "fields": { + "text": { + "type": "match_only_text" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "full_name": { "ignore_above": 1024, "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, @@ -487,7 +505,7 @@ "type": "keyword", "fields": { "text": { - "type": "text" + "type": "match_only_text" } } }, diff --git a/elastic/security/templates/component/logs-endpoint.events.security@settings.json b/elastic/security/templates/component/logs-endpoint.events.security@settings.json deleted file mode 100644 index 1abbbca0..00000000 --- a/elastic/security/templates/component/logs-endpoint.events.security@settings.json +++ /dev/null @@ -1,102 +0,0 @@ -{ - "template": { - "settings": { - "index": { - {% if lifecycle == "ilm" or (not lifecycle and build_flavor == "default") %} - "lifecycle": { - "name": "logs" - }, - {%- elif lifecycle == "dlm" or (not lifecycle and build_flavor == "serverless") %} - "lifecycle": {}, - {%- endif -%} - "codec": "best_compression", - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "query": { - "default_field": [ - "message", - "agent.id", - "agent.type", - "agent.version", - "destination.geo.city_name", - "destination.geo.continent_code", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.postal_code", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.geo.timezone", - "ecs.version", - "event.action", - "event.category", - "event.code", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.outcome", - "event.provider", - "event.type", - "group.Ext.real.id", - "group.Ext.real.name", - "group.domain", - "group.id", - "group.name", - "host.architecture", - "host.domain", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.Ext.variant", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "process.Ext.ancestry", - "process.entity_id", - "process.executable", - "process.name", - "source.geo.city_name", - "source.geo.continent_code", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.postal_code", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.geo.timezone", - "user.Ext.real.id", - "user.Ext.real.name", - "user.domain", - "user.email", - "user.full_name", - "user.group.Ext.real.id", - "user.group.Ext.real.name", - "user.group.domain", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name" - ] - } - } - } - }, - "_meta": { - "package": { - "name": "endpoint" - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.alerts.json b/elastic/security/templates/composable-logsdb/logs-endpoint.alerts.json deleted file mode 100644 index e02322c2..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.alerts.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.alerts", - "index_template": { - "index_patterns": [ - "logs-endpoint.alerts-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.alerts@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.events.file.json b/elastic/security/templates/composable-logsdb/logs-endpoint.events.file.json deleted file mode 100644 index 93498765..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.events.file.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.events.file", - "index_template": { - "index_patterns": [ - "logs-endpoint.events.file-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.events.file@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.events.library.json b/elastic/security/templates/composable-logsdb/logs-endpoint.events.library.json deleted file mode 100644 index 12a958f9..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.events.library.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.events.library", - "index_template": { - "index_patterns": [ - "logs-endpoint.events.library-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.events.library@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.events.network.json b/elastic/security/templates/composable-logsdb/logs-endpoint.events.network.json deleted file mode 100644 index f5514887..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.events.network.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.events.network", - "index_template": { - "index_patterns": [ - "logs-endpoint.events.network-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.events.network@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.events.process.json b/elastic/security/templates/composable-logsdb/logs-endpoint.events.process.json deleted file mode 100644 index ebad9d29..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.events.process.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.events.process", - "index_template": { - "index_patterns": [ - "logs-endpoint.events.process-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.events.process@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.events.registry.json b/elastic/security/templates/composable-logsdb/logs-endpoint.events.registry.json deleted file mode 100644 index 14754e38..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.events.registry.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.events.registry", - "index_template": { - "index_patterns": [ - "logs-endpoint.events.registry-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.events.registry@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable-logsdb/logs-endpoint.events.security.json b/elastic/security/templates/composable-logsdb/logs-endpoint.events.security.json deleted file mode 100644 index 6c6a61fe..00000000 --- a/elastic/security/templates/composable-logsdb/logs-endpoint.events.security.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "name": "logs-endpoint.events.security", - "index_template": { - "index_patterns": [ - "logs-endpoint.events.security-*" - ], - "template": { - "settings": {}, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "logs-endpoint.events.security@package", - "ecs@mappings", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - {% if build_flavor != "serverless" %}, - "failure_store": false - {% endif %} - } - } -} diff --git a/elastic/security/templates/composable/.logs-endpoint.action.responses.json b/elastic/security/templates/composable/.logs-endpoint.action.responses.json deleted file mode 100644 index 00601f9d..00000000 --- a/elastic/security/templates/composable/.logs-endpoint.action.responses.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "name": ".logs-endpoint.action.responses", - "index_template": { - "index_patterns": [ - ".logs-endpoint.action.responses-*" - ], - "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.action.responses-8.2.0" - } - }, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "ecs@mappings", - ".logs-endpoint.action.responses@package", - ".logs-endpoint.action.responses@custom", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": true, - "allow_custom_routing": false - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/composable/.logs-endpoint.actions.json b/elastic/security/templates/composable/.logs-endpoint.actions.json deleted file mode 100644 index 820477c1..00000000 --- a/elastic/security/templates/composable/.logs-endpoint.actions.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "name": ".logs-endpoint.actions", - "index_template": { - "index_patterns": [ - ".logs-endpoint.actions-*" - ], - "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.actions-8.2.0" - } - }, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "ecs@mappings", - ".logs-endpoint.actions@package", - ".logs-endpoint.actions@custom", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": true, - "allow_custom_routing": false - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/composable/.logs-endpoint.diagnostic.collection.json b/elastic/security/templates/composable/.logs-endpoint.diagnostic.collection.json deleted file mode 100644 index 80da55a6..00000000 --- a/elastic/security/templates/composable/.logs-endpoint.diagnostic.collection.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "name": ".logs-endpoint.diagnostic.collection", - "index_template": { - "index_patterns": [ - ".logs-endpoint.diagnostic.collection-*" - ], - "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.diagnostic.collection-8.2.0" - } - }, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "ecs@mappings", - ".logs-endpoint.diagnostic.collection@package", - ".logs-endpoint.diagnostic.collection@custom", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": true, - "allow_custom_routing": false - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/composable/logs-endpoint.alerts.json b/elastic/security/templates/composable/logs-endpoint.alerts.json deleted file mode 100644 index 19576289..00000000 --- a/elastic/security/templates/composable/logs-endpoint.alerts.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "name": "logs-endpoint.alerts", - "index_template": { - "index_patterns": [ - "logs-endpoint.alerts-*" - ], - "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.alerts-8.2.0" - } - }, - "mappings": { - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - } - } - }, - "composed_of": [ - "logs@mappings", - "logs@settings", - "ecs@mappings", - "logs-endpoint.alerts@package", - "logs-endpoint.alerts@custom", - ".fleet_globals-1", - ".fleet_agent_id_verification-1", - "track-shared-logsdb-mode" - ], - "priority": 200, - "_meta": { - "package": { - "name": "endpoint" - }, - "managed_by": "fleet", - "managed": true - }, - "data_stream": { - "hidden": false, - "allow_custom_routing": false - } - } -} \ No newline at end of file diff --git a/elastic/security/templates/composable/logs-endpoint.events.file.json b/elastic/security/templates/composable/logs-endpoint.events.file.json index 6af4b0b6..93498765 100644 --- a/elastic/security/templates/composable/logs-endpoint.events.file.json +++ b/elastic/security/templates/composable/logs-endpoint.events.file.json @@ -5,11 +5,7 @@ "logs-endpoint.events.file-*" ], "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.events.file-8.2.0" - } - }, + "settings": {}, "mappings": { "_meta": { "package": { @@ -23,9 +19,8 @@ "composed_of": [ "logs@mappings", "logs@settings", - "ecs@mappings", "logs-endpoint.events.file@package", - "logs-endpoint.events.file@custom", + "ecs@mappings", ".fleet_globals-1", ".fleet_agent_id_verification-1", "track-shared-logsdb-mode" @@ -41,6 +36,9 @@ "data_stream": { "hidden": false, "allow_custom_routing": false + {% if build_flavor != "serverless" %}, + "failure_store": false + {% endif %} } } -} \ No newline at end of file +} diff --git a/elastic/security/templates/composable/logs-endpoint.events.library.json b/elastic/security/templates/composable/logs-endpoint.events.library.json index 89d6b412..12a958f9 100644 --- a/elastic/security/templates/composable/logs-endpoint.events.library.json +++ b/elastic/security/templates/composable/logs-endpoint.events.library.json @@ -5,11 +5,7 @@ "logs-endpoint.events.library-*" ], "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.events.library-8.2.0" - } - }, + "settings": {}, "mappings": { "_meta": { "package": { @@ -23,9 +19,8 @@ "composed_of": [ "logs@mappings", "logs@settings", - "ecs@mappings", "logs-endpoint.events.library@package", - "logs-endpoint.events.library@custom", + "ecs@mappings", ".fleet_globals-1", ".fleet_agent_id_verification-1", "track-shared-logsdb-mode" @@ -41,6 +36,9 @@ "data_stream": { "hidden": false, "allow_custom_routing": false + {% if build_flavor != "serverless" %}, + "failure_store": false + {% endif %} } } -} \ No newline at end of file +} diff --git a/elastic/security/templates/composable/logs-endpoint.events.network.json b/elastic/security/templates/composable/logs-endpoint.events.network.json index 05a60293..f5514887 100644 --- a/elastic/security/templates/composable/logs-endpoint.events.network.json +++ b/elastic/security/templates/composable/logs-endpoint.events.network.json @@ -5,11 +5,7 @@ "logs-endpoint.events.network-*" ], "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.events.network-8.2.0" - } - }, + "settings": {}, "mappings": { "_meta": { "package": { @@ -23,9 +19,8 @@ "composed_of": [ "logs@mappings", "logs@settings", - "ecs@mappings", "logs-endpoint.events.network@package", - "logs-endpoint.events.network@custom", + "ecs@mappings", ".fleet_globals-1", ".fleet_agent_id_verification-1", "track-shared-logsdb-mode" @@ -41,6 +36,9 @@ "data_stream": { "hidden": false, "allow_custom_routing": false + {% if build_flavor != "serverless" %}, + "failure_store": false + {% endif %} } } -} \ No newline at end of file +} diff --git a/elastic/security/templates/composable/logs-endpoint.events.process.json b/elastic/security/templates/composable/logs-endpoint.events.process.json index 3a08baa0..ebad9d29 100644 --- a/elastic/security/templates/composable/logs-endpoint.events.process.json +++ b/elastic/security/templates/composable/logs-endpoint.events.process.json @@ -5,11 +5,7 @@ "logs-endpoint.events.process-*" ], "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.events.process-8.2.0" - } - }, + "settings": {}, "mappings": { "_meta": { "package": { @@ -23,9 +19,8 @@ "composed_of": [ "logs@mappings", "logs@settings", - "ecs@mappings", "logs-endpoint.events.process@package", - "logs-endpoint.events.process@custom", + "ecs@mappings", ".fleet_globals-1", ".fleet_agent_id_verification-1", "track-shared-logsdb-mode" @@ -41,6 +36,9 @@ "data_stream": { "hidden": false, "allow_custom_routing": false + {% if build_flavor != "serverless" %}, + "failure_store": false + {% endif %} } } -} \ No newline at end of file +} diff --git a/elastic/security/templates/composable/logs-endpoint.events.registry.json b/elastic/security/templates/composable/logs-endpoint.events.registry.json index cfeec396..14754e38 100644 --- a/elastic/security/templates/composable/logs-endpoint.events.registry.json +++ b/elastic/security/templates/composable/logs-endpoint.events.registry.json @@ -5,11 +5,7 @@ "logs-endpoint.events.registry-*" ], "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.events.registry-8.2.0" - } - }, + "settings": {}, "mappings": { "_meta": { "package": { @@ -23,9 +19,8 @@ "composed_of": [ "logs@mappings", "logs@settings", - "ecs@mappings", "logs-endpoint.events.registry@package", - "logs-endpoint.events.registry@custom", + "ecs@mappings", ".fleet_globals-1", ".fleet_agent_id_verification-1", "track-shared-logsdb-mode" @@ -41,6 +36,9 @@ "data_stream": { "hidden": false, "allow_custom_routing": false + {% if build_flavor != "serverless" %}, + "failure_store": false + {% endif %} } } -} \ No newline at end of file +} diff --git a/elastic/security/templates/composable/logs-endpoint.events.security.json b/elastic/security/templates/composable/logs-endpoint.events.security.json index 75401900..6c6a61fe 100644 --- a/elastic/security/templates/composable/logs-endpoint.events.security.json +++ b/elastic/security/templates/composable/logs-endpoint.events.security.json @@ -5,11 +5,7 @@ "logs-endpoint.events.security-*" ], "template": { - "settings": { - "index": { - "default_pipeline": "logs-endpoint.events.security-8.2.0" - } - }, + "settings": {}, "mappings": { "_meta": { "package": { @@ -23,9 +19,8 @@ "composed_of": [ "logs@mappings", "logs@settings", - "ecs@mappings", "logs-endpoint.events.security@package", - "logs-endpoint.events.security@custom", + "ecs@mappings", ".fleet_globals-1", ".fleet_agent_id_verification-1", "track-shared-logsdb-mode" @@ -41,6 +36,9 @@ "data_stream": { "hidden": false, "allow_custom_routing": false + {% if build_flavor != "serverless" %}, + "failure_store": false + {% endif %} } } -} \ No newline at end of file +} diff --git a/elastic/security/track.json b/elastic/security/track.json index 9aa022cd..31330803 100644 --- a/elastic/security/track.json +++ b/elastic/security/track.json @@ -9,6 +9,8 @@ {% set p_number_of_shards = (number_of_shards | default(1)) %} {% set p_number_of_replicas = (number_of_replicas | default(1)) %} {% set p_skip_delete_component_template = (skip_delete_component_template | default(false) ) %} +{% set p_logs_endpoint_from_kibana = (logs_endpoint_from_kibana | default(false) ) %} +{% set p_include_non_serverless_index_settings = (include_non_serverless_index_settings | default(build_flavor != "serverless")) %} {% set p_integration_ratios = (integration_ratios | default({ "auditbeat": { "corpora": { @@ -92,11 +94,15 @@ {% endif %} {% endfor %} ], - {% if index_mode == "logsdb" %} + {% if p_logs_endpoint_from_kibana %} "component-templates": [ { "name": "track-shared-logsdb-mode", "template": "./templates/component/track-shared-logsdb-mode.json" + }, + { + "name": "track-custom-mappings", + "template": "./templates/component/track-custom-mappings.json" } ], {% else %} @@ -115,124 +121,40 @@ "template": "./templates/component/.fleet_agent_id_verification-1.json", "template-path": "component_template" }, - { - "name": ".fleet_component_template-1", - "template": "./templates/component/.fleet_component_template-1.json" - }, { "name": ".fleet_globals-1", "template": "./templates/component/.fleet_globals-1.json", "template-path": "component_template" }, {% endif %} - { - "name": "logs-endpoint.events.file@mappings", - "template": "./templates/component/logs-endpoint.events.file@mappings.json" - }, - {% if p_skip_delete_component_template == false %} { "name": "logs-endpoint.events.file@package", "template": "./templates/component/logs-endpoint.events.file@package.json", "template-path": "component_template" }, - {% endif %} - { - "name": "logs-endpoint.events.file@settings", - "template": "./templates/component/logs-endpoint.events.file@settings.json" - }, - { - "name": "logs-endpoint.events.file@custom", - "template": "./templates/component/logs-endpoint.events.file@custom.json", - "template-path": "component_template" - }, - { - "name": "logs-endpoint.events.library@mappings", - "template": "./templates/component/logs-endpoint.events.file@mappings.json" - }, { "name": "logs-endpoint.events.library@package", "template": "./templates/component/logs-endpoint.events.library@package.json", "template-path": "component_template" }, - { - "name": "logs-endpoint.events.library@settings", - "template": "./templates/component/logs-endpoint.events.library@settings.json" - }, - { - "name": "logs-endpoint.events.library@custom", - "template": "./templates/component/logs-endpoint.events.library@custom.json", - "template-path": "component_template" - }, - { - "name": "logs-endpoint.events.network@mappings", - "template": "./templates/component/logs-endpoint.events.network@mappings.json" - }, { "name": "logs-endpoint.events.network@package", "template": "./templates/component/logs-endpoint.events.network@package.json", "template-path": "component_template" }, - { - "name": "logs-endpoint.events.network@settings", - "template": "./templates/component/logs-endpoint.events.network@settings.json" - }, - { - "name": "logs-endpoint.events.network@custom", - "template": "./templates/component/logs-endpoint.events.network@custom.json", - "template-path": "component_template" - }, - { - "name": "logs-endpoint.events.process@mappings", - "template": "./templates/component/logs-endpoint.events.process@mappings.json" - }, { "name": "logs-endpoint.events.process@package", "template": "./templates/component/logs-endpoint.events.process@package.json", "template-path": "component_template" }, - { - "name": "logs-endpoint.events.process@settings", - "template": "./templates/component/logs-endpoint.events.process@settings.json" - }, - { - "name": "logs-endpoint.events.process@custom", - "template": "./templates/component/logs-endpoint.events.process@custom.json", - "template-path": "component_template" - }, - { - "name": "logs-endpoint.events.security@mappings", - "template": "./templates/component/logs-endpoint.events.security@mappings.json" - }, - { - "name": "logs-endpoint.events.security@package", - "template": "./templates/component/logs-endpoint.events.security@package.json", - "template-path": "component_template" - }, - { - "name": "logs-endpoint.events.security@settings", - "template": "./templates/component/logs-endpoint.events.security@settings.json" - }, - { - "name": "logs-endpoint.events.security@custom", - "template": "./templates/component/logs-endpoint.events.security@custom.json", - "template-path": "component_template" - }, - { - "name": "logs-endpoint.events.registry@mappings", - "template": "./templates/component/logs-endpoint.events.registry@mappings.json" - }, { "name": "logs-endpoint.events.registry@package", "template": "./templates/component/logs-endpoint.events.registry@package.json", "template-path": "component_template" }, { - "name": "logs-endpoint.events.registry@settings", - "template": "./templates/component/logs-endpoint.events.registry@settings.json" - }, - { - "name": "logs-endpoint.events.registry@custom", - "template": "./templates/component/logs-endpoint.events.registry@custom.json", + "name": "logs-endpoint.events.security@package", + "template": "./templates/component/logs-endpoint.events.security@package.json", "template-path": "component_template" } ], @@ -244,66 +166,42 @@ "name": "logs-endpoint.events.file", "index-pattern": "logs-endpoint.events.file-*", "delete-matching-indices": false, - {% if index_mode == "logsdb" %} - "template": "./templates/composable-logsdb/logs-endpoint.events.file.json", - {% else %} "template": "./templates/composable/logs-endpoint.events.file.json", - {% endif %} "template-path": "index_template" }, { "name": "logs-endpoint.events.library", "index-pattern": "logs-endpoint.events.library-*", "delete-matching-indices": false, - {% if index_mode == "logsdb" %} - "template": "./templates/composable-logsdb/logs-endpoint.events.library.json", - {% else %} "template": "./templates/composable/logs-endpoint.events.library.json", - {% endif %} "template-path": "index_template" }, { "name": "logs-endpoint.events.network", "index-pattern": "logs-endpoint.events.network-*", "delete-matching-indices": false, - {% if index_mode == "logsdb" %} - "template": "./templates/composable-logsdb/logs-endpoint.events.network.json", - {% else %} "template": "./templates/composable/logs-endpoint.events.network.json", - {% endif %} "template-path": "index_template" }, { "name": "logs-endpoint.events.process", "index-pattern": "logs-endpoint.events.process-*", "delete-matching-indices": false, - {% if index_mode == "logsdb" %} - "template": "./templates/composable-logsdb/logs-endpoint.events.process.json", - {% else %} "template": "./templates/composable/logs-endpoint.events.process.json", - {% endif %} "template-path": "index_template" }, { "name": "logs-endpoint.events.registry", "index-pattern": "logs-endpoint.events.registry-*", "delete-matching-indices": false, - {% if index_mode == "logsdb" %} - "template": "./templates/composable-logsdb/logs-endpoint.events.registry.json", - {% else %} "template": "./templates/composable/logs-endpoint.events.registry.json", - {% endif %} "template-path": "index_template" }, { "name": "logs-endpoint.events.security", "index-pattern": "logs-endpoint.events.security-*", "delete-matching-indices": false, - {% if index_mode == "logsdb" %} - "template": "./templates/composable-logsdb/logs-endpoint.events.security.json", - {% else %} "template": "./templates/composable/logs-endpoint.events.security.json", - {% endif %} "template-path": "index_template" }{{ ", " if not loop.last else "" }} {% else %} @@ -450,7 +348,9 @@ ], "dependencies": [ "geneve==0.2.0", - "pyyaml" + "pyyaml", + "elastic-transport==8.4.1", + "elasticsearch==8.6.1" ], "challenges": [ {{ rally.collect(parts="challenges/*.json") }}