Skip to content

Commit 37aaa02

Browse files
leemthompoleemthompo
committed
Refactor to use snippet includes
- Extract code examples into _snippets/ directory - Replace inline code blocks with include directives - Generate snippet files
1 parent de6d779 commit 37aaa02

File tree

103 files changed

+4043
-3769
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

103 files changed

+4043
-3769
lines changed

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example1-console.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
```console
2+
PUT /windows-security-logs
3+
{
4+
"mappings": {
5+
"properties": {
6+
"@timestamp": {"type": "date"},
7+
"event": {
8+
"properties": {
9+
"code": {"type": "keyword"}, # Event codes like 4624 (successful logon) and 4625 (failed logon) are stored as keywords for exact matching.
10+
"action": {"type": "keyword"}
11+
}
12+
},
13+
"user": {
14+
"properties": {
15+
"name": {"type": "keyword"},
16+
"domain": {"type": "keyword"}
17+
}
18+
},
19+
"host": {
20+
"properties": {
21+
"name": {"type": "keyword"},
22+
"ip": {"type": "ip"}
23+
}
24+
},
25+
"source": {
26+
"properties": {
27+
"ip": {"type": "ip"}
28+
}
29+
},
30+
"logon": {
31+
"properties": {
32+
"type": {"type": "keyword"}
33+
}
34+
}
35+
}
36+
}
37+
}
38+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example1-curl.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
```bash
2+
curl -X PUT "$ELASTICSEARCH_URL/windows-security-logs" \
3+
-H "Authorization: ApiKey $ELASTIC_API_KEY" \
4+
-H "Content-Type: application/json" \
5+
-d '{"mappings":{"properties":{"@timestamp":{"type":"date"},"event":{"properties":{"code":{"type":"keyword"},"action":{"type":"keyword"}}},"user":{"properties":{"name":{"type":"keyword"},"domain":{"type":"keyword"}}},"host":{"properties":{"name":{"type":"keyword"},"ip":{"type":"ip"}}},"source":{"properties":{"ip":{"type":"ip"}}},"logon":{"properties":{"type":{"type":"keyword"}}}}}}'
6+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example1-js.md

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
```js
2+
const { Client } = require("@elastic/elasticsearch");
3+
4+
const client = new Client({
5+
nodes: [process.env["ELASTICSEARCH_URL"]],
6+
auth: {
7+
apiKey: process.env["ELASTIC_API_KEY"],
8+
},
9+
});
10+
11+
async function run() {
12+
const response = await client.indices.create({
13+
index: "windows-security-logs",
14+
mappings: {
15+
properties: {
16+
"@timestamp": {
17+
type: "date",
18+
},
19+
event: {
20+
properties: {
21+
code: {
22+
type: "keyword",
23+
},
24+
action: {
25+
type: "keyword",
26+
},
27+
},
28+
},
29+
user: {
30+
properties: {
31+
name: {
32+
type: "keyword",
33+
},
34+
domain: {
35+
type: "keyword",
36+
},
37+
},
38+
},
39+
host: {
40+
properties: {
41+
name: {
42+
type: "keyword",
43+
},
44+
ip: {
45+
type: "ip",
46+
},
47+
},
48+
},
49+
source: {
50+
properties: {
51+
ip: {
52+
type: "ip",
53+
},
54+
},
55+
},
56+
logon: {
57+
properties: {
58+
type: {
59+
type: "keyword",
60+
},
61+
},
62+
},
63+
},
64+
},
65+
});
66+
console.log(response);
67+
}
68+
69+
run();
70+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example1-php.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
```php
2+
<?php
3+
4+
require(__DIR__ . "/vendor/autoload.php");
5+
6+
use Elastic\Elasticsearch\ClientBuilder;
7+
8+
$client = ClientBuilder::create()
9+
->setHosts([getenv("ELASTICSEARCH_URL")])
10+
->setApiKey(getenv("ELASTIC_API_KEY"))
11+
->build();
12+
13+
$resp = $client->indices()->create([
14+
"index" => "windows-security-logs",
15+
"body" => [
16+
"mappings" => [
17+
"properties" => [
18+
"@timestamp" => [
19+
"type" => "date",
20+
],
21+
"event" => [
22+
"properties" => [
23+
"code" => [
24+
"type" => "keyword",
25+
],
26+
"action" => [
27+
"type" => "keyword",
28+
],
29+
],
30+
],
31+
"user" => [
32+
"properties" => [
33+
"name" => [
34+
"type" => "keyword",
35+
],
36+
"domain" => [
37+
"type" => "keyword",
38+
],
39+
],
40+
],
41+
"host" => [
42+
"properties" => [
43+
"name" => [
44+
"type" => "keyword",
45+
],
46+
"ip" => [
47+
"type" => "ip",
48+
],
49+
],
50+
],
51+
"source" => [
52+
"properties" => [
53+
"ip" => [
54+
"type" => "ip",
55+
],
56+
],
57+
],
58+
"logon" => [
59+
"properties" => [
60+
"type" => [
61+
"type" => "keyword",
62+
],
63+
],
64+
],
65+
],
66+
],
67+
],
68+
]);
69+
echo $resp->asString();
70+
71+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example1-python.md

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
```python
2+
import os
3+
from elasticsearch import Elasticsearch
4+
5+
client = Elasticsearch(
6+
hosts=[os.getenv("ELASTICSEARCH_URL")],
7+
api_key=os.getenv("ELASTIC_API_KEY"),
8+
)
9+
10+
resp = client.indices.create(
11+
index="windows-security-logs",
12+
mappings={
13+
"properties": {
14+
"@timestamp": {
15+
"type": "date"
16+
},
17+
"event": {
18+
"properties": {
19+
"code": {
20+
"type": "keyword"
21+
},
22+
"action": {
23+
"type": "keyword"
24+
}
25+
}
26+
},
27+
"user": {
28+
"properties": {
29+
"name": {
30+
"type": "keyword"
31+
},
32+
"domain": {
33+
"type": "keyword"
34+
}
35+
}
36+
},
37+
"host": {
38+
"properties": {
39+
"name": {
40+
"type": "keyword"
41+
},
42+
"ip": {
43+
"type": "ip"
44+
}
45+
}
46+
},
47+
"source": {
48+
"properties": {
49+
"ip": {
50+
"type": "ip"
51+
}
52+
}
53+
},
54+
"logon": {
55+
"properties": {
56+
"type": {
57+
"type": "keyword"
58+
}
59+
}
60+
}
61+
}
62+
},
63+
)
64+
print(resp)
65+
66+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example1-ruby.md

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
```ruby
2+
require "elasticsearch"
3+
4+
client = Elasticsearch::Client.new(
5+
host: ENV["ELASTICSEARCH_URL"],
6+
api_key: ENV["ELASTIC_API_KEY"]
7+
)
8+
9+
response = client.indices.create(
10+
index: "windows-security-logs",
11+
body: {
12+
"mappings": {
13+
"properties": {
14+
"@timestamp": {
15+
"type": "date"
16+
},
17+
"event": {
18+
"properties": {
19+
"code": {
20+
"type": "keyword"
21+
},
22+
"action": {
23+
"type": "keyword"
24+
}
25+
}
26+
},
27+
"user": {
28+
"properties": {
29+
"name": {
30+
"type": "keyword"
31+
},
32+
"domain": {
33+
"type": "keyword"
34+
}
35+
}
36+
},
37+
"host": {
38+
"properties": {
39+
"name": {
40+
"type": "keyword"
41+
},
42+
"ip": {
43+
"type": "ip"
44+
}
45+
}
46+
},
47+
"source": {
48+
"properties": {
49+
"ip": {
50+
"type": "ip"
51+
}
52+
}
53+
},
54+
"logon": {
55+
"properties": {
56+
"type": {
57+
"type": "keyword"
58+
}
59+
}
60+
}
61+
}
62+
}
63+
}
64+
)
65+
print(resp)
66+
67+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example10-console.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
```console
2+
POST /_bulk?refresh=wait_for
3+
{"index":{"_index":"asset-inventory"}}
4+
{"host.name":"WS-001","asset.criticality":"medium","asset.owner":"IT","asset.department":"finance"}
5+
{"index":{"_index":"asset-inventory"}}
6+
{"host.name":"SRV-001","asset.criticality":"high","asset.owner":"IT","asset.department":"operations"}
7+
{"index":{"_index":"asset-inventory"}}
8+
{"host.name":"DB-001","asset.criticality":"critical","asset.owner":"DBA","asset.department":"finance"}
9+
{"index":{"_index":"asset-inventory"}}
10+
{"host.name":"DC-001","asset.criticality":"critical","asset.owner":"IT","asset.department":"infrastructure"}
11+
{"index":{"_index":"user-context"}}
12+
{"user.name":"jsmith","user.role":"analyst","user.department":"finance","user.privileged":false}
13+
{"index":{"_index":"user-context"}}
14+
{"user.name":"admin","user.role":"administrator","user.department":"IT","user.privileged":true}
15+
{"index":{"_index":"threat-intel"}}
16+
{"indicator.value":"185.220.101.45","indicator.type":"ip","threat.name":"APT-29","threat.severity":"high"}
17+
{"index":{"_index":"threat-intel"}}
18+
{"indicator.value":"powershell.exe","indicator.type":"process","threat.name":"Living off the Land","threat.severity":"medium"}
19+
```

solutions/security/esql-for-security/_snippets/esql-threat-hunting-tutorial/example10-curl.md

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
```bash
2+
curl -X POST "$ELASTICSEARCH_URL/_bulk?refresh=wait_for" \
3+
-H "Authorization: ApiKey $ELASTIC_API_KEY" \
4+
-H "Content-Type: application/x-ndjson" \
5+
-d $'{"index":{"_index":"asset-inventory"}}\n{"host.name":"WS-001","asset.criticality":"medium","asset.owner":"IT","asset.department":"finance"}\n{"index":{"_index":"asset-inventory"}}\n{"host.name":"SRV-001","asset.criticality":"high","asset.owner":"IT","asset.department":"operations"}\n{"index":{"_index":"asset-inventory"}}\n{"host.name":"DB-001","asset.criticality":"critical","asset.owner":"DBA","asset.department":"finance"}\n{"index":{"_index":"asset-inventory"}}\n{"host.name":"DC-001","asset.criticality":"critical","asset.owner":"IT","asset.department":"infrastructure"}\n{"index":{"_index":"user-context"}}\n{"user.name":"jsmith","user.role":"analyst","user.department":"finance","user.privileged":false}\n{"index":{"_index":"user-context"}}\n{"user.name":"admin","user.role":"administrator","user.department":"IT","user.privileged":true}\n{"index":{"_index":"threat-intel"}}\n{"indicator.value":"185.220.101.45","indicator.type":"ip","threat.name":"APT-29","threat.severity":"high"}\n{"index":{"_index":"threat-intel"}}\n{"indicator.value":"powershell.exe","indicator.type":"process","threat.name":"Living off the Land","threat.severity":"medium"}\n'
6+
```

0 commit comments

Comments
 (0)