Skip to content

Commit

Permalink
moved common malcolm fields into another composable component rather …
Browse files Browse the repository at this point in the history 
…than defining it directly in the malcolm_template
  • Loading branch information
@mmguero
mmguero committed Mar 19, 2024
1 parent 20fdc98 commit 936bf15
Show file tree
Hide file tree
Showing 2 changed files with 82 additions and 77 deletions.
80 changes: 80 additions & 0 deletions dashboards/templates/composable/component/malcolm_common.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
{
"template": {
"mappings": {
"properties": {
"destination.ip_reverse_dns": { "type": "keyword" },
"destination.oui": { "type": "keyword" },
"destination.device": {
"properties": {
"cluster": { "type": "keyword" },
"device_type": { "type": "keyword" },
"id": { "type": "integer" },
"manufacturer": { "type": "keyword" },
"name": { "type": "keyword" },
"role": { "type": "keyword" },
"service": { "type": "keyword" },
"site": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"destination.segment": {
"properties": {
"id": { "type": "integer" },
"name": { "type": "keyword" },
"site": { "type": "keyword" },
"tenant": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"event.freq_score_v1": { "type": "float" },
"event.freq_score_v2": { "type": "float" },
"event.hits": { "type": "long" },
"event.result": { "type": "keyword" },
"event.severity_tags": { "type": "keyword" },
"file.source": { "type": "keyword" },
"network.is_orig": { "type": "keyword" },
"network.protocol_version": { "type": "keyword" },
"related.mac": { "type": "keyword" },
"related.oui": { "type": "keyword" },
"related.password": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"related.device_id": { "type": "integer" },
"related.device_name": { "type": "keyword" },
"related.device_type": { "type": "keyword" },
"related.manufacturer": { "type": "keyword" },
"related.role": { "type": "keyword" },
"related.service": { "type": "keyword" },
"related.site": { "type": "keyword" },
"source.ip_reverse_dns": { "type": "keyword" },
"source.oui": { "type": "keyword" },
"source.device": {
"properties": {
"cluster": { "type": "keyword" },
"device_type": { "type": "keyword" },
"id": { "type": "integer" },
"manufacturer": { "type": "keyword" },
"name": { "type": "keyword" },
"role": { "type": "keyword" },
"service": { "type": "keyword" },
"site": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"source.segment": {
"properties": {
"id": { "type": "integer" },
"name": { "type": "keyword" },
"site": { "type": "keyword" },
"tenant": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"tls.client.ja3_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.server.ja3s_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }
}
}
}
}
79 changes: 2 additions & 77 deletions dashboards/templates/malcolm_template.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,8 @@
"custom_arkime",
"custom_suricata",
"custom_zeek",
"custom_zeek_ot"
"custom_zeek_ot",
"custom_malcolm_common"
],
"template" :{
"settings" : {
Expand All @@ -34,82 +35,6 @@
"mapping.nested_fields.limit" : "250",
"max_docvalue_fields_search" : "200"
}
},
"mappings": {
"properties": {
"destination.ip_reverse_dns": { "type": "keyword" },
"destination.oui": { "type": "keyword" },
"destination.device": {
"properties": {
"cluster": { "type": "keyword" },
"device_type": { "type": "keyword" },
"id": { "type": "integer" },
"manufacturer": { "type": "keyword" },
"name": { "type": "keyword" },
"role": { "type": "keyword" },
"service": { "type": "keyword" },
"site": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"destination.segment": {
"properties": {
"id": { "type": "integer" },
"name": { "type": "keyword" },
"site": { "type": "keyword" },
"tenant": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"event.freq_score_v1": { "type": "float" },
"event.freq_score_v2": { "type": "float" },
"event.hits": { "type": "long" },
"event.result": { "type": "keyword" },
"event.severity_tags": { "type": "keyword" },
"file.source": { "type": "keyword" },
"network.is_orig": { "type": "keyword" },
"network.protocol_version": { "type": "keyword" },
"related.mac": { "type": "keyword" },
"related.oui": { "type": "keyword" },
"related.password": { "type": "keyword", "ignore_above": 256, "fields": { "text": { "type": "text" } } },
"related.device_id": { "type": "integer" },
"related.device_name": { "type": "keyword" },
"related.device_type": { "type": "keyword" },
"related.manufacturer": { "type": "keyword" },
"related.role": { "type": "keyword" },
"related.service": { "type": "keyword" },
"related.site": { "type": "keyword" },
"source.ip_reverse_dns": { "type": "keyword" },
"source.oui": { "type": "keyword" },
"source.device": {
"properties": {
"cluster": { "type": "keyword" },
"device_type": { "type": "keyword" },
"id": { "type": "integer" },
"manufacturer": { "type": "keyword" },
"name": { "type": "keyword" },
"role": { "type": "keyword" },
"service": { "type": "keyword" },
"site": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"source.segment": {
"properties": {
"id": { "type": "integer" },
"name": { "type": "keyword" },
"site": { "type": "keyword" },
"tenant": { "type": "keyword" },
"url": { "type": "keyword" },
"details": { "type": "nested" }
}
},
"tls.client.ja3_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } },
"tls.server.ja3s_description": { "type": "keyword", "ignore_above": 1024, "fields": { "text": { "type": "text" } } }
}
}
}
}

0 comments on commit 936bf15

Please sign in to comment.