From d0457cb61ed3693e8c5502e9adc4e5dde0934ec8 Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 19 Jan 2024 22:00:38 +0000 Subject: [PATCH 1/3] Add additional integrations to defaults --- salt/elasticfleet/defaults.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index f42a3f4fcb..e4f54ceb0e 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -45,6 +45,8 @@ elasticfleet: - cisco_ise - cisco_meraki - cisco_umbrella + - citrix_adc + - citrix_waf - cloudflare - crowdstrike - darktrace @@ -75,6 +77,7 @@ elasticfleet: - mimecast - mysql - netflow + - nginx - o365 - okta - osquery_manager @@ -103,6 +106,7 @@ elasticfleet: - udp - vsphere - windows + - winlog - zscaler_zia - zscaler_zpa - 1password From 05aa8b013aff434ec4109e8adbe71a5aa8eb1c8a Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 19 Jan 2024 22:02:39 +0000 Subject: [PATCH 2/3] Add additional integration to templates --- salt/elasticsearch/defaults.yaml | 440 +++++++++++++++++++++++++++++++ 1 file changed, 440 insertions(+) diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 45b4b7d943..e35cec326b 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -2537,6 +2537,270 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-citrix_adc_x_interface: + index_sorting: False + index_template: + index_patterns: + - "logs-citrix_adc.interface-*" + template: + settings: + index: + lifecycle: + name: so-logs-citrix_adc.interface-logs + number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.interface@package" + - "logs-citrix_adc.interface@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-citrix_adc_x_lbvserver: + index_sorting: False + index_template: + index_patterns: + - "logs-citrix_adc.lbvserver-*" + template: + settings: + index: + lifecycle: + name: so-logs-citrix_adc.lbvserver-logs + number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.lbvserver@package" + - "logs-citrix_adc.lbvserver@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-citrix_adc_x_service: + index_sorting: False + index_template: + index_patterns: + - "logs-citrix_adc.service-*" + template: + settings: + index: + lifecycle: + name: so-logs-citrix_adc.service-logs + number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.service@package" + - "logs-citrix_adc.service@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-citrix_adc_x_system: + index_sorting: False + index_template: + index_patterns: + - "logs-citrix_adc.system-*" + template: + settings: + index: + lifecycle: + name: so-logs-citrix_adc.system-logs + number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.system@package" + - "logs-citrix_adc.system@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-citrix_adc_x_vpn: + index_sorting: False + index_template: + index_patterns: + - "logs-citrix_adc.vpn-*" + template: + settings: + index: + lifecycle: + name: so-logs-citrix_adc.vpn-logs + number_of_replicas: 0 + composed_of: + - "logs-citrix_adc.vpn@package" + - "logs-citrix_adc.vpn@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-citrix_waf_x_log: + index_sorting: False + index_template: + index_patterns: + - "logs-citrix_waf.log-*" + template: + settings: + index: + lifecycle: + name: so-logs-citrix_waf.log-logs + number_of_replicas: 0 + composed_of: + - "logs-citrix_waf.log@package" + - "logs-citrix_waf.log@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-cloudflare_x_audit: index_sorting: false index_template: @@ -6659,6 +6923,138 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-nginx_x_access: + index_sorting: False + index_template: + index_patterns: + - "logs-nginx.access-*" + template: + settings: + index: + lifecycle: + name: so-logs-nginx.access-logs + number_of_replicas: 0 + composed_of: + - "logs-nginx.access@package" + - "logs-nginx.access@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-nginx_x_error: + index_sorting: False + index_template: + index_patterns: + - "logs-nginx.error-*" + template: + settings: + index: + lifecycle: + name: so-logs-nginx.error-logs + number_of_replicas: 0 + composed_of: + - "logs-nginx.error@package" + - "logs-nginx.error@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-metrics-nginx_x_stubstatus: + index_sorting: False + index_template: + index_patterns: + - "metrics-nginx.stubstatus-*" + template: + settings: + index: + lifecycle: + name: so-metrics-nginx.stubstatus-logs + number_of_replicas: 0 + composed_of: + - "metrics-nginx.stubstatus@package" + - "metrics-nginx.stubstatus@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-o365_x_audit: index_sorting: false index_template: @@ -8854,6 +9250,50 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-winlog_x_winlog: + index_sorting: False + index_template: + index_patterns: + - "logs-winlog.winlog-*" + template: + settings: + index: + lifecycle: + name: so-logs-winlog.winlog-logs + number_of_replicas: 0 + composed_of: + - "logs-winlog.winlog@package" + - "logs-winlog.winlog@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 30d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-zscaler_zia_x_alerts: index_sorting: false index_template: From 7118cc8dee1021c66ca7be3e79c9fd71921a945e Mon Sep 17 00:00:00 2001 From: Wes Date: Fri, 19 Jan 2024 22:04:07 +0000 Subject: [PATCH 3/3] Add additional integration SOC configuration --- salt/elasticsearch/soc_elasticsearch.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index d66312a017..c54e076603 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -318,6 +318,7 @@ elasticsearch: so-logs-windows_x_powershell: *indexSettings so-logs-windows_x_powershell_operational: *indexSettings so-logs-windows_x_sysmon_operational: *indexSettings + so-logs-winlog_x_winlog: *indexSettings so-logs-apache_x_access: *indexSettings so-logs-apache_x_error: *indexSettings so-logs-auditd_x_log: *indexSettings @@ -346,6 +347,12 @@ elasticsearch: so-logs-cisco_ftd_x_log: *indexSettings so-logs-cisco_ios_x_log: *indexSettings so-logs-cisco_ise_x_log: *indexSettings + so-logs-citrix_adc_x_interface: *indexSettings + so-logs-citrix_adc_x_lbvserver: *indexSettings + so-logs-citrix_adc_x_service: *indexSettings + so-logs-citrix_adc_x_system: *indexSettings + so-logs-citrix_adc_x_vpn: *indexSettings + so-logs-citrix_waf_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings @@ -406,6 +413,8 @@ elasticsearch: so-logs-mysql_x_error: *indexSettings so-logs-mysql_x_slowlog: *indexSettings so-logs-netflow_x_log: *indexSettings + so-logs-nginx_x_access: *indexSettings + so-logs-nginx_x_error: *indexSettings so-logs-o365_x_audit: *indexSettings so-logs-okta_x_system: *indexSettings so-logs-panw_x_panos: *indexSettings @@ -471,6 +480,7 @@ elasticsearch: so-metrics-endpoint_x_metadata: *indexSettings so-metrics-endpoint_x_metrics: *indexSettings so-metrics-endpoint_x_policy: *indexSettings + so-metrics-nginx_x_stubstatus: *indexSettings so-case: *indexSettings so-common: *indexSettings so-endgame: *indexSettings