diff --git a/playbooks/deploy-rock.yml b/playbooks/deploy-rock.yml index 0cb3cc376..ff1d1740b 100644 --- a/playbooks/deploy-rock.yml +++ b/playbooks/deploy-rock.yml @@ -311,30 +311,6 @@ body_format: json when: with_elasticsearch and default_index_template.status == 404 - - name: Check for ECS mapping template - uri: - method: "GET" - url: http://localhost:9200/_template/ecs - failed_when: False - register: ecs_index_template - when: with_elasticsearch - - - name: Load ECS Elasticsearch mapping template - uri: - method: PUT - url: http://localhost:9200/_template/ecs - body: "{{ lookup('file', 'es-ecs-mapping.json')}}" - body_format: json - when: with_elasticsearch and ecs_index_template.status == 404 - - - name: Check for Bro mapping templates - uri: - method: "GET" - url: http://localhost:9200/_template/bro_index - failed_when: False - register: bro_mapping - when: (with_elasticsearch and with_bro) - - name: Configure Kibana templates uri: method: PUT @@ -465,7 +441,7 @@ wait_for: port: "{{ kibana_port }}" when: with_kibana - + - name: Blanket install/update Kibana saved objects command: ./import-saved-items.sh "{{ kibana_url }}" args: diff --git a/playbooks/files/es-ecs-mapping.json b/playbooks/files/es-ecs-mapping.json deleted file mode 100644 index 7954a3b26..000000000 --- a/playbooks/files/es-ecs-mapping.json +++ /dev/null @@ -1,816 +0,0 @@ -{ - "index_patterns": [ - "*" - ], - "order": 10, - "settings": { - "index": { - "mapping": { - "total_fields": { - "limit": 10000 - } - } - } - }, - "mappings": { - "_doc": { - "_meta": { - "version": "1.0.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "properties": { - "@timestamp": { - "type": "date" - }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "device": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "properties": { - "offset": { - "properties": { - "sec": { - "type": "long" - } - } - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "norms": false, - "type": "text" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "severity": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "norms": false, - "type": "text" - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "norms": false, - "type": "text" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "timezone": { - "properties": { - "offset": { - "properties": { - "sec": { - "type": "long" - } - } - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "norms": false, - "type": "text" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kubernetes": { - "properties": { - "annotations": { - "type": "object" - }, - "container": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "pod": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "line": { - "type": "long" - }, - "message": { - "doc_values": false, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "offset": { - "type": "long" - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "inbound": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "outbound": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "total": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "type": "long" - } - } - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "norms": false, - "type": "text" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls": { - "properties": { - "certificates": { - "doc_values": false, - "type": "keyword" - }, - "ciphersuite": { - "ignore_above": 1024, - "type": "keyword" - }, - "servername": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "href": { - "fields": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "norms": false, - "type": "text" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "norms": false, - "type": "text" - }, - "port": { - "type": "long" - }, - "query": { - "fields": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "norms": false, - "type": "text" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "major": { - "type": "long" - }, - "minor": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "patch": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "norms": false, - "type": "text" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } -}