diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index 2f237cac1f..bce0282358 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -108,6 +108,7 @@ elasticfleet: - ti_anomali - ti_cybersixgill - ti_misp + - ti_opencti - ti_otx - ti_rapid7_threat_command - ti_recordedfuture diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 9f0d3576c7..22da473376 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -10353,6 +10353,52 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-ti_opencti_x_indicator: + index_sorting: False + index_template: + composed_of: + - "logs-ti_opencti.indicator@package" + - "logs-ti_opencti.indicator@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - "logs-ti_opencti.indicator@custom" + index_patterns: + - "logs-ti_opencti.indicator-*" + priority: 501 + template: + settings: + index: + lifecycle: + name: so-logs-ti_opencti.indicator-logs + number_of_replicas: 0 + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-ti_otx_x_pulses_subscribed: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 88ea45b898..0db3f34fa1 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -491,6 +491,7 @@ elasticsearch: so-logs-ti_cybersixgill_x_threat: *indexSettings so-logs-ti_misp_x_threat: *indexSettings so-logs-ti_misp_x_threat_attributes: *indexSettings + so-logs-ti_opencti_x_indicator: *indexSettings so-logs-ti_otx_x_pulses_subscribed: *indexSettings so-logs-ti_otx_x_threat: *indexSettings so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json new file mode 100644 index 0000000000..17319ab9fa --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-ti_opencti.indicator@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +}