-
-
Save alsoGAMER/f437861142821858acfe42c84b0eff23 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"log.level":"info","@timestamp":"2024-02-16T10:12:27.957+0100","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":811},"message":"Home path: [C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64] Config path: [C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64] Data path: [C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\data] Logs path: [C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\logs]","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:27.957+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).loadMeta","file.name":"instance/beat.go","file.line":902},"message":"Beat metadata path: C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\data\\meta.json","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:27.967+0100","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).configure","file.name":"instance/beat.go","file.line":819},"message":"Beat ID: 88b3cd4b-c77d-4e4f-81e0-6f499ba33842","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:28.033+0100","log.logger":"conditions","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/conditions.NewCondition","file.name":"conditions/conditions.go","file.line":98},"message":"New condition contains: map[]","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:28.033+0100","log.logger":"conditions","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/conditions.NewCondition","file.name":"conditions/conditions.go","file.line":98},"message":"New condition !contains: map[]","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:28.034+0100","log.logger":"add_cloud_metadata","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata","file.name":"add_cloud_metadata/providers.go","file.line":130},"message":"add_cloud_metadata: starting to fetch metadata, timeout=3s","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.041+0100","log.logger":"add_cloud_metadata","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata","file.name":"add_cloud_metadata/providers.go","file.line":176},"message":"add_cloud_metadata: timed-out waiting for all responses","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.041+0100","log.logger":"add_cloud_metadata","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).fetchMetadata.func1","file.name":"add_cloud_metadata/providers.go","file.line":133},"message":"add_cloud_metadata: fetchMetadata ran for 3.0071231s","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.041+0100","log.logger":"add_cloud_metadata","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/processors/add_cloud_metadata.(*addCloudMetadata).init.func1","file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.041+0100","log.logger":"processors","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/processors.New","file.name":"processors/processor.go","file.line":114},"message":"Generated new processors: add_host_metadata=[netinfo.enabled=[true], cache.ttl=[5m0s]], condition=!contains: map[], add_cloud_metadata={}","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.042+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1337},"message":"Beat info","service.name":"winlogbeat","system_info":{"beat":{"path":{"config":"C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64","data":"C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\data","home":"C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64","logs":"C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\logs"},"type":"winlogbeat","uuid":"88b3cd4b-c77d-4e4f-81e0-6f499ba33842"},"ecs.version":"1.6.0"}} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.042+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1346},"message":"Build info","service.name":"winlogbeat","system_info":{"build":{"commit":"c7ec8f634ed6052674762b32fa640087d32f165f","libbeat":"8.12.1","time":"2024-02-01T11:51:42.000Z","version":"8.12.1"},"ecs.version":"1.6.0"}} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.043+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1349},"message":"Go runtime info","service.name":"winlogbeat","system_info":{"go":{"os":"windows","arch":"amd64","max_procs":4,"version":"go1.20.12"},"ecs.version":"1.6.0"}} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.067+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1355},"message":"Host info","service.name":"winlogbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2024-02-14T14:17:18+01:00","name":"userw10d","ip":["fe80::d8ff:5060:f230:9168","169.254.83.107","fe80::5c63:bfb5:9a59:601d","192.168.1.71","::1","127.0.0.1","fe80::9db:5fc5:bced:2486","172.31.96.1"],"kernel_version":"10.0.19041.4046 (WinBuild.160101.0800)","mac":["00:23:24:bd:01:b2","00:15:5d:4f:76:1e"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19045.4046"},"timezone":"CET","timezone_offset_sec":3600,"id":"bdab35d0-a700-4608-b2f5-a986372e5b55"},"ecs.version":"1.6.0"}} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.068+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.logSystemInfo","file.name":"instance/beat.go","file.line":1384},"message":"Process info","service.name":"winlogbeat","system_info":{"process":{"cwd":"C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64","exe":"C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\winlogbeat.exe","name":"winlogbeat.exe","pid":8552,"ppid":10548,"start_time":"2024-02-16T10:12:27.859+0100"},"ecs.version":"1.6.0"}} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.068+0100","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":334},"message":"Setup Beat: winlogbeat; Version: 8.12.1","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.088+0100","log.logger":"beat","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.(*Beat).createBeater","file.name":"instance/beat.go","file.line":362},"message":"Initializing output plugins","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"warn","@timestamp":"2024-02-16T10:12:31.119+0100","log.logger":"cfgwarn","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*Config).Validate.func1","file.name":"tlscommon/config.go","file.line":101},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.120+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://192.168.1.103:9200","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"warn","@timestamp":"2024-02-16T10:12:31.121+0100","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.121+0100","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*eventConsumer).run","file.name":"pipeline/consumer.go","file.line":110},"message":"start pipeline event consumer","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.121+0100","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.LoadWithSettings","file.name":"pipeline/module.go","file.line":105},"message":"Beat name: userW10D","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.121+0100","log.logger":"publisher","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/publisher/pipeline.(*queueReader).run","file.name":"pipeline/queue_reader.go","file.line":49},"message":"pipeline event consumer queue reader: start","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.122+0100","log.logger":"winlogbeat","log.origin":{"function":"github.com/elastic/beats/v7/winlogbeat/beater.New","file.name":"beater/winlogbeat.go","file.line":70},"message":"State will be read from and persisted to C:\\Users\\user\\Downloads\\winlogbeat-8.12.1-windows-x86_64\\data\\.winlogbeat.yml","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.122+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.NewConnection","file.name":"eslegclient/connection.go","file.line":122},"message":"elasticsearch url: https://192.168.1.103:9200","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"warn","@timestamp":"2024-02-16T10:12:31.122+0100","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.123+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":284},"message":"ES Ping(url=https://192.168.1.103:9200)","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"warn","@timestamp":"2024-02-16T10:12:31.123+0100","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.132+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport.LoggingDialer.func1","file.name":"transport/logging.go","file.line":42},"message":"Completed dialing successfully","service.name":"winlogbeat","network":"tcp","address":"192.168.1.103:9200","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.134+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":303},"message":"Ping status code: 200","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.134+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Ping","file.name":"eslegclient/connection.go","file.line":304},"message":"Attempting to connect to Elasticsearch version 8.12.1 (default)","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| Overwriting lifecycle policy is disabled. Set `setup.ilm.overwrite: true` to overwrite. | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.135+0100","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.(*indexManager).Setup","file.name":"idxmgmt/index_support.go","file.line":254},"message":"Auto lifecycle enable success.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.135+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":359},"message":"GET https://192.168.1.103:9200/_ilm/policy/winlogbeat <nil>","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.149+0100","log.logger":"index-management.ilm","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt/lifecycle.(*stdManager).EnsurePolicy","file.name":"lifecycle/standard_manager.go","file.line":111},"message":"lifecycle policy winlogbeat exists already.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.149+0100","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.applyLifecycleSettingsToTemplate","file.name":"idxmgmt/index_support.go","file.line":402},"message":"Set settings.index.lifecycle.name in template to winlogbeat as ILM is enabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.150+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":359},"message":"HEAD https://192.168.1.103:9200/_index_template/winlogbeat-8.12.1 <nil>","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.159+0100","log.logger":"template","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*templateBuilder).buildBody","file.name":"template/load.go","file.line":263},"message":"Existing template will be overwritten, as overwrite is enabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.159+0100","log.logger":"template","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*templateBuilder).buildBodyFromFields","file.name":"template/load.go","file.line":309},"message":"Load default fields","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.290+0100","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).loadTemplate","file.name":"template/load.go","file.line":177},"message":"Try loading template winlogbeat-8.12.1 to Elasticsearch","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.290+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":359},"message":"PUT https://192.168.1.103:9200/_index_template/winlogbeat-8.12.1 map[data_stream:{} index_patterns:[winlogbeat-8.12.1] priority:150 template:{\"mappings\":{\"_meta\":{\"beat\":\"winlogbeat\",\"version\":\"8.12.1\"},\"date_detection\":false,\"dynamic_templates\":[{\"labels\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"labels.*\"}},{\"container.labels\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"container.labels.*\"}},{\"fields\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"fields.*\"}},{\"docker.container.labels\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"docker.container.labels.*\"}},{\"kubernetes.labels.*\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"*\",\"path_match\":\"kubernetes.labels.*\"}},{\"kubernetes.annotations.*\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"*\",\"path_match\":\"kubernetes.annotations.*\"}},{\"kubernetes.selectors.*\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"*\",\"path_match\":\"kubernetes.selectors.*\"}},{\"winlog.event_data\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"winlog.event_data.*\"}},{\"winlog.user_data\":{\"mapping\":{\"type\":\"keyword\"},\"match_mapping_type\":\"string\",\"path_match\":\"winlog.user_data.*\"}},{\"strings_as_keyword\":{\"mapping\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"match_mapping_type\":\"string\"}}],\"properties\":{\"@timestamp\":{\"type\":\"date\"},\"agent\":{\"properties\":{\"build\":{\"properties\":{\"original\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ephemeral_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hostname\":{\"path\":\"agent.name\",\"type\":\"alias\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"client\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"bytes\":{\"type\":\"long\"},\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ip\":{\"type\":\"ip\"},\"mac\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"nat\":{\"properties\":{\"ip\":{\"type\":\"ip\"},\"port\":{\"type\":\"long\"}}},\"packets\":{\"type\":\"long\"},\"port\":{\"type\":\"long\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"user\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"cloud\":{\"properties\":{\"account\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"availability_zone\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"image\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"instance\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"machine\":{\"properties\":{\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"origin\":{\"properties\":{\"account\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"availability_zone\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"instance\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"machine\":{\"properties\":{\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"project\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"provider\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"service\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"project\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"provider\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"service\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"target\":{\"properties\":{\"account\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"availability_zone\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"instance\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"machine\":{\"properties\":{\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"project\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"provider\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"service\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}}}},\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"container\":{\"properties\":{\"cpu\":{\"properties\":{\"usage\":{\"scaling_factor\":1000,\"type\":\"scaled_float\"}}},\"disk\":{\"properties\":{\"read\":{\"properties\":{\"bytes\":{\"type\":\"long\"}}},\"write\":{\"properties\":{\"bytes\":{\"type\":\"long\"}}}}},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"image\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"tag\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"labels\":{\"type\":\"object\"},\"memory\":{\"properties\":{\"usage\":{\"scaling_factor\":1000,\"type\":\"scaled_float\"}}},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"network\":{\"properties\":{\"egress\":{\"properties\":{\"bytes\":{\"type\":\"long\"}}},\"ingress\":{\"properties\":{\"bytes\":{\"type\":\"long\"}}}}},\"runtime\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"data_stream\":{\"properties\":{\"dataset\":{\"type\":\"constant_keyword\"},\"namespace\":{\"type\":\"constant_keyword\"},\"type\":{\"type\":\"constant_keyword\"}}},\"destination\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"bytes\":{\"type\":\"long\"},\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ip\":{\"type\":\"ip\"},\"mac\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"nat\":{\"properties\":{\"ip\":{\"type\":\"ip\"},\"port\":{\"type\":\"long\"}}},\"packets\":{\"type\":\"long\"},\"port\":{\"type\":\"long\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"user\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"dll\":{\"properties\":{\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"dns\":{\"properties\":{\"answers\":{\"properties\":{\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ttl\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"object\"},\"header_flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"op_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"question\":{\"properties\":{\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"resolved_ip\":{\"type\":\"ip\"},\"response_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"docker\":{\"properties\":{\"container\":{\"properties\":{\"labels\":{\"type\":\"object\"}}}}},\"ecs\":{\"properties\":{\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"elf\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"byte_order\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cpu_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"creation_date\":{\"type\":\"date\"},\"exports\":{\"type\":\"flattened\"},\"header\":{\"properties\":{\"abi_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"entrypoint\":{\"type\":\"long\"},\"object_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os_abi\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"imports\":{\"type\":\"flattened\"},\"sections\":{\"properties\":{\"chi2\":{\"type\":\"long\"},\"entropy\":{\"type\":\"long\"},\"flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_offset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"virtual_address\":{\"type\":\"long\"},\"virtual_size\":{\"type\":\"long\"}},\"type\":\"nested\"},\"segments\":{\"properties\":{\"sections\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"},\"shared_libraries\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"telfhash\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"error\":{\"properties\":{\"code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"message\":{\"type\":\"match_only_text\"},\"stack_trace\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"event\":{\"properties\":{\"action\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"agent_id_status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"category\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"created\":{\"type\":\"date\"},\"dataset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"duration\":{\"type\":\"long\"},\"end\":{\"type\":\"date\"},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ingested\":{\"type\":\"date\"},\"kind\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"module\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"outcome\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"provider\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reason\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"risk_score\":{\"type\":\"float\"},\"risk_score_norm\":{\"type\":\"float\"},\"sequence\":{\"type\":\"long\"},\"severity\":{\"type\":\"long\"},\"start\":{\"type\":\"date\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"url\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"faas\":{\"properties\":{\"coldstart\":{\"type\":\"boolean\"},\"execution\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"trigger\":{\"properties\":{\"request_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"}}},\"fields\":{\"type\":\"object\"},\"file\":{\"properties\":{\"accessed\":{\"type\":\"date\"},\"attributes\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"created\":{\"type\":\"date\"},\"ctime\":{\"type\":\"date\"},\"device\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"directory\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"drive_letter\":{\"ignore_above\":1,\"type\":\"keyword\"},\"elf\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"byte_order\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cpu_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"creation_date\":{\"type\":\"date\"},\"exports\":{\"type\":\"flattened\"},\"header\":{\"properties\":{\"abi_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"entrypoint\":{\"type\":\"long\"},\"object_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os_abi\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"imports\":{\"type\":\"flattened\"},\"sections\":{\"properties\":{\"chi2\":{\"type\":\"long\"},\"entropy\":{\"type\":\"long\"},\"flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_offset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"virtual_address\":{\"type\":\"long\"},\"virtual_size\":{\"type\":\"long\"}},\"type\":\"nested\"},\"segments\":{\"properties\":{\"sections\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"},\"shared_libraries\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"telfhash\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"extension\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"fork_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"gid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"inode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mime_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mtime\":{\"type\":\"date\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"owner\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"size\":{\"type\":\"long\"},\"target_path\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"uid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"host\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"containerized\":{\"type\":\"boolean\"},\"cpu\":{\"properties\":{\"usage\":{\"scaling_factor\":1000,\"type\":\"scaled_float\"}}},\"disk\":{\"properties\":{\"read\":{\"properties\":{\"bytes\":{\"type\":\"long\"}}},\"write\":{\"properties\":{\"bytes\":{\"type\":\"long\"}}}}},\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hostname\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ip\":{\"type\":\"ip\"},\"mac\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"network\":{\"properties\":{\"egress\":{\"properties\":{\"bytes\":{\"type\":\"long\"},\"packets\":{\"type\":\"long\"}}},\"ingress\":{\"properties\":{\"bytes\":{\"type\":\"long\"},\"packets\":{\"type\":\"long\"}}}}},\"os\":{\"properties\":{\"build\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"codename\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"family\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"kernel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"platform\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"uptime\":{\"type\":\"long\"}}},\"http\":{\"properties\":{\"request\":{\"properties\":{\"body\":{\"properties\":{\"bytes\":{\"type\":\"long\"},\"content\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"}}},\"bytes\":{\"type\":\"long\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"method\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mime_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"referrer\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"response\":{\"properties\":{\"body\":{\"properties\":{\"bytes\":{\"type\":\"long\"},\"content\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"}}},\"bytes\":{\"type\":\"long\"},\"mime_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status_code\":{\"type\":\"long\"}}},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"interface\":{\"properties\":{\"alias\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"jolokia\":{\"properties\":{\"agent\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"secured\":{\"type\":\"boolean\"},\"server\":{\"properties\":{\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"vendor\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"url\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"kubernetes\":{\"properties\":{\"annotations\":{\"properties\":{\"*\":{\"type\":\"object\"}}},\"container\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"deployment\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"labels\":{\"properties\":{\"*\":{\"type\":\"object\"}}},\"namespace\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"node\":{\"properties\":{\"hostname\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"pod\":{\"properties\":{\"ip\":{\"type\":\"ip\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"uid\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"replicaset\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"selectors\":{\"properties\":{\"*\":{\"type\":\"object\"}}},\"statefulset\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"labels\":{\"type\":\"object\"},\"log\":{\"properties\":{\"file\":{\"properties\":{\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"level\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"logger\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"origin\":{\"properties\":{\"file\":{\"properties\":{\"line\":{\"type\":\"long\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"function\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"syslog\":{\"properties\":{\"facility\":{\"properties\":{\"code\":{\"type\":\"long\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"priority\":{\"type\":\"long\"},\"severity\":{\"properties\":{\"code\":{\"type\":\"long\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}},\"type\":\"object\"}}},\"message\":{\"type\":\"match_only_text\"},\"network\":{\"properties\":{\"application\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"bytes\":{\"type\":\"long\"},\"community_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"direction\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"forwarded_ip\":{\"type\":\"ip\"},\"iana_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"inner\":{\"properties\":{\"vlan\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}},\"type\":\"object\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"packets\":{\"type\":\"long\"},\"protocol\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"transport\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"vlan\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"observer\":{\"properties\":{\"egress\":{\"properties\":{\"interface\":{\"properties\":{\"alias\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"vlan\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"zone\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"object\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hostname\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ingress\":{\"properties\":{\"interface\":{\"properties\":{\"alias\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"vlan\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"zone\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"object\"},\"ip\":{\"type\":\"ip\"},\"mac\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os\":{\"properties\":{\"family\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"kernel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"platform\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"vendor\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"orchestrator\":{\"properties\":{\"api_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cluster\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"url\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"namespace\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"resource\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"organization\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}},\"os\":{\"properties\":{\"family\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"kernel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"platform\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"package\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"build_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"checksum\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"install_scope\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"installed\":{\"type\":\"date\"},\"license\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"powershell\":{\"properties\":{\"command\":{\"properties\":{\"invocation_details\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"related_command\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"value\":{\"norms\":false,\"type\":\"text\"}}},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"value\":{\"norms\":false,\"type\":\"text\"}}},\"connected_user\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"engine\":{\"properties\":{\"new_state\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"previous_state\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"file\":{\"properties\":{\"script_block_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"script_block_text\":{\"analyzer\":\"winlogbeat_powershell_script_analyzer\",\"norms\":false,\"search_analyzer\":\"winlogbeat_powershell_script_analyzer\",\"type\":\"text\"}}},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"pipeline_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"process\":{\"properties\":{\"executable_version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"provider\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"new_state\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"runspace_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sequence\":{\"type\":\"long\"},\"total\":{\"type\":\"long\"}}},\"process\":{\"properties\":{\"args\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"args_count\":{\"type\":\"long\"},\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"command_line\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"elf\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"byte_order\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cpu_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"creation_date\":{\"type\":\"date\"},\"exports\":{\"type\":\"flattened\"},\"header\":{\"properties\":{\"abi_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"entrypoint\":{\"type\":\"long\"},\"object_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os_abi\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"imports\":{\"type\":\"flattened\"},\"sections\":{\"properties\":{\"chi2\":{\"type\":\"long\"},\"entropy\":{\"type\":\"long\"},\"flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_offset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"virtual_address\":{\"type\":\"long\"},\"virtual_size\":{\"type\":\"long\"}},\"type\":\"nested\"},\"segments\":{\"properties\":{\"sections\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"},\"shared_libraries\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"telfhash\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"end\":{\"type\":\"date\"},\"entity_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"executable\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"exit_code\":{\"type\":\"long\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"owner\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"norms\":false,\"type\":\"text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}},\"parent\":{\"properties\":{\"args\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"args_count\":{\"type\":\"long\"},\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"command_line\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"elf\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"byte_order\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cpu_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"creation_date\":{\"type\":\"date\"},\"exports\":{\"type\":\"flattened\"},\"header\":{\"properties\":{\"abi_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"entrypoint\":{\"type\":\"long\"},\"object_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os_abi\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"imports\":{\"type\":\"flattened\"},\"sections\":{\"properties\":{\"chi2\":{\"type\":\"long\"},\"entropy\":{\"type\":\"long\"},\"flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_offset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"virtual_address\":{\"type\":\"long\"},\"virtual_size\":{\"type\":\"long\"}},\"type\":\"nested\"},\"segments\":{\"properties\":{\"sections\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"},\"shared_libraries\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"telfhash\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"end\":{\"type\":\"date\"},\"entity_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"executable\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"exit_code\":{\"type\":\"long\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"pgid\":{\"type\":\"long\"},\"pid\":{\"type\":\"long\"},\"start\":{\"type\":\"date\"},\"thread\":{\"properties\":{\"id\":{\"type\":\"long\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"title\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"uptime\":{\"type\":\"long\"},\"working_directory\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"pgid\":{\"type\":\"long\"},\"pid\":{\"type\":\"long\"},\"start\":{\"type\":\"date\"},\"thread\":{\"properties\":{\"id\":{\"type\":\"long\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"title\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"uptime\":{\"type\":\"long\"},\"working_directory\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}},\"registry\":{\"properties\":{\"data\":{\"properties\":{\"bytes\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"strings\":{\"type\":\"wildcard\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hive\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"key\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"value\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"related\":{\"properties\":{\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hosts\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ip\":{\"type\":\"ip\"},\"user\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"rule\":{\"properties\":{\"author\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"category\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"license\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ruleset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"uuid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"server\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"bytes\":{\"type\":\"long\"},\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ip\":{\"type\":\"ip\"},\"mac\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"nat\":{\"properties\":{\"ip\":{\"type\":\"ip\"},\"port\":{\"type\":\"long\"}}},\"packets\":{\"type\":\"long\"},\"port\":{\"type\":\"long\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"user\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"service\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"environment\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ephemeral_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"node\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"origin\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"environment\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ephemeral_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"node\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"state\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"state\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"target\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"environment\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ephemeral_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"node\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"state\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"source\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"bytes\":{\"type\":\"long\"},\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ip\":{\"type\":\"ip\"},\"mac\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"nat\":{\"properties\":{\"ip\":{\"type\":\"ip\"},\"port\":{\"type\":\"long\"}}},\"packets\":{\"type\":\"long\"},\"port\":{\"type\":\"long\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"user\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"span\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"sysmon\":{\"properties\":{\"dns\":{\"properties\":{\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"file\":{\"properties\":{\"archived\":{\"type\":\"boolean\"},\"is_executable\":{\"type\":\"boolean\"}}}}},\"tags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"threat\":{\"properties\":{\"enrichments\":{\"properties\":{\"indicator\":{\"properties\":{\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"confidence\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"file\":{\"properties\":{\"accessed\":{\"type\":\"date\"},\"attributes\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"created\":{\"type\":\"date\"},\"ctime\":{\"type\":\"date\"},\"device\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"directory\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"drive_letter\":{\"ignore_above\":1,\"type\":\"keyword\"},\"elf\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"byte_order\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cpu_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"creation_date\":{\"type\":\"date\"},\"exports\":{\"type\":\"flattened\"},\"header\":{\"properties\":{\"abi_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"entrypoint\":{\"type\":\"long\"},\"object_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os_abi\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"imports\":{\"type\":\"flattened\"},\"sections\":{\"properties\":{\"chi2\":{\"type\":\"long\"},\"entropy\":{\"type\":\"long\"},\"flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_offset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"virtual_address\":{\"type\":\"long\"},\"virtual_size\":{\"type\":\"long\"}},\"type\":\"nested\"},\"segments\":{\"properties\":{\"sections\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"},\"shared_libraries\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"telfhash\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"extension\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"fork_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"gid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"inode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mime_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mtime\":{\"type\":\"date\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"owner\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"size\":{\"type\":\"long\"},\"target_path\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"uid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"first_seen\":{\"type\":\"date\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ip\":{\"type\":\"ip\"},\"last_seen\":{\"type\":\"date\"},\"marking\":{\"properties\":{\"tlp\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"modified_at\":{\"type\":\"date\"},\"port\":{\"type\":\"long\"},\"provider\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"registry\":{\"properties\":{\"data\":{\"properties\":{\"bytes\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"strings\":{\"type\":\"wildcard\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hive\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"key\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"value\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"scanner_stats\":{\"type\":\"long\"},\"sightings\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"url\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"extension\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"fragment\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"original\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"password\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"type\":\"wildcard\"},\"port\":{\"type\":\"long\"},\"query\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"scheme\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"username\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}},\"type\":\"object\"},\"matched\":{\"properties\":{\"atomic\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"field\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"index\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}},\"type\":\"nested\"},\"framework\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"alias\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"indicator\":{\"properties\":{\"as\":{\"properties\":{\"number\":{\"type\":\"long\"},\"organization\":{\"properties\":{\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"confidence\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"properties\":{\"address\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"file\":{\"properties\":{\"accessed\":{\"type\":\"date\"},\"attributes\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"code_signature\":{\"properties\":{\"digest_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"exists\":{\"type\":\"boolean\"},\"signing_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"team_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timestamp\":{\"type\":\"date\"},\"trusted\":{\"type\":\"boolean\"},\"valid\":{\"type\":\"boolean\"}}},\"created\":{\"type\":\"date\"},\"ctime\":{\"type\":\"date\"},\"device\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"directory\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"drive_letter\":{\"ignore_above\":1,\"type\":\"keyword\"},\"elf\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"byte_order\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"cpu_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"creation_date\":{\"type\":\"date\"},\"exports\":{\"type\":\"flattened\"},\"header\":{\"properties\":{\"abi_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"class\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"data\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"entrypoint\":{\"type\":\"long\"},\"object_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"os_abi\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"imports\":{\"type\":\"flattened\"},\"sections\":{\"properties\":{\"chi2\":{\"type\":\"long\"},\"entropy\":{\"type\":\"long\"},\"flags\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_offset\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"physical_size\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"virtual_address\":{\"type\":\"long\"},\"virtual_size\":{\"type\":\"long\"}},\"type\":\"nested\"},\"segments\":{\"properties\":{\"sections\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}},\"type\":\"nested\"},\"shared_libraries\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"telfhash\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"extension\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"fork_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"gid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha512\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ssdeep\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"inode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mime_type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"mtime\":{\"type\":\"date\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"owner\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"pe\":{\"properties\":{\"architecture\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"file_version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"imphash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original_file_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"product\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"size\":{\"type\":\"long\"},\"target_path\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"uid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"first_seen\":{\"type\":\"date\"},\"geo\":{\"properties\":{\"city_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"continent_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"location\":{\"type\":\"geo_point\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"postal_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_iso_code\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"region_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"timezone\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"ip\":{\"type\":\"ip\"},\"last_seen\":{\"type\":\"date\"},\"marking\":{\"properties\":{\"tlp\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"modified_at\":{\"type\":\"date\"},\"port\":{\"type\":\"long\"},\"provider\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"registry\":{\"properties\":{\"data\":{\"properties\":{\"bytes\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"strings\":{\"type\":\"wildcard\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hive\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"key\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"value\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"scanner_stats\":{\"type\":\"long\"},\"sightings\":{\"type\":\"long\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"url\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"extension\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"fragment\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"original\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"password\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"type\":\"wildcard\"},\"port\":{\"type\":\"long\"},\"query\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"scheme\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"username\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"software\":{\"properties\":{\"alias\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"platforms\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"tactic\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"technique\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subtechnique\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}}}},\"timeseries\":{\"properties\":{\"instance\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"tls\":{\"properties\":{\"cipher\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"client\":{\"properties\":{\"certificate\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"certificate_chain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"issuer\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ja3\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"server_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"supported_ciphers\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"established\":{\"type\":\"boolean\"},\"next_protocol\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"resumed\":{\"type\":\"boolean\"},\"server\":{\"properties\":{\"certificate\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"certificate_chain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"hash\":{\"properties\":{\"md5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sha256\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"issuer\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ja3s\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"subject\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version_protocol\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"trace\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"transaction\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"url\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"extension\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"fragment\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"original\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"type\":\"wildcard\"},\"password\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"path\":{\"type\":\"wildcard\"},\"port\":{\"type\":\"long\"},\"query\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"registered_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"scheme\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subdomain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"top_level_domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"username\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"user\":{\"properties\":{\"changes\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"effective\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"target\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"email\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full_name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"group\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"hash\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"roles\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"user_agent\":{\"properties\":{\"device\":{\"properties\":{\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"original\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"os\":{\"properties\":{\"family\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"full\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"kernel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"platform\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"vlan\":{\"properties\":{\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"vulnerability\":{\"properties\":{\"category\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"classification\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"description\":{\"fields\":{\"text\":{\"type\":\"match_only_text\"}},\"ignore_above\":1024,\"type\":\"keyword\"},\"enumeration\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"reference\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"report_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"scanner\":{\"properties\":{\"vendor\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"score\":{\"properties\":{\"base\":{\"type\":\"float\"},\"environmental\":{\"type\":\"float\"},\"temporal\":{\"type\":\"float\"},\"version\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"severity\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"winlog\":{\"properties\":{\"activity_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"api\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"channel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"computerObject\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"computer_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"event_data\":{\"properties\":{\"AuthenticationPackageName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Binary\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"BitlockerUserInputTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"BootMode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"BootType\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"BuildVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"CallTrace\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ClientInfo\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Company\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Configuration\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"CorruptionActionState\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"CreationUtcTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Description\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Detail\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DeviceName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DeviceNameLength\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DeviceTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DeviceVersionMajor\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DeviceVersionMinor\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DriveName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DriverName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DriverNameLength\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"DwordVal\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"EntryCount\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"EventNamespace\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"EventType\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ExtraInfo\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"FailureName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"FailureNameLength\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"FileVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"FinalStatus\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"GrantedAccess\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Group\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"IdleImplementation\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"IdleStateCount\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ImpersonationLevel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"IntegrityLevel\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"IpAddress\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"IpPort\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"KeyLength\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LastBootGood\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LastShutdownGood\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LmPackageName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LogonGuid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LogonId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LogonProcessName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"LogonType\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MajorVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MaximumPerformancePercent\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MemberName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MemberSid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MinimumPerformancePercent\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MinimumThrottlePercent\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"MinorVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"NewProcessId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"NewProcessName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"NewSchemeGuid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"NewThreadId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"NewTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"NominalFrequency\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"OldSchemeGuid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"OldTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Operation\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"OriginalFileName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Path\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"PerformanceImplementation\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"PreviousCreationUtcTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"PreviousTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"PrivilegeList\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ProcessId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ProcessName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ProcessPath\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ProcessPid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Product\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"PuaCount\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"PuaPolicyId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"QfeVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Query\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Reason\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"SchemaVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ScriptBlockText\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ServiceName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ServiceVersion\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Session\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ShutdownActionType\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ShutdownEventCode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"ShutdownReason\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Signature\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"SignatureStatus\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Signed\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"StartAddress\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"StartFunction\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"StartModule\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"StartTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"State\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"StopTime\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"SubjectDomainName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"SubjectLogonId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"SubjectUserName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"SubjectUserSid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TSId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetDomainName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetImage\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetInfo\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetLogonGuid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetLogonId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetProcessGUID\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetProcessId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetServerName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetUserName\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TargetUserSid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TerminalSessionId\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TokenElevationType\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"TransmittedServices\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Type\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"UserSid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Version\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"Workstation\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param1\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param2\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param3\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param4\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param5\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param6\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param7\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"param8\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"event_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"keywords\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"logon\":{\"properties\":{\"failure\":{\"properties\":{\"reason\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"status\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"sub_status\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"opcode\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"process\":{\"properties\":{\"pid\":{\"type\":\"long\"},\"thread\":{\"properties\":{\"id\":{\"type\":\"long\"}}}}},\"provider_guid\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"provider_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"record_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"related_activity_id\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"task\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"time_created\":{\"type\":\"date\"},\"trustAttribute\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"trustDirection\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"trustType\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"user\":{\"properties\":{\"domain\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"identifier\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"type\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"user_data\":{\"type\":\"object\"},\"version\":{\"type\":\"long\"}}},\"x509\":{\"properties\":{\"alternative_names\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"issuer\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"not_after\":{\"type\":\"date\"},\"not_before\":{\"type\":\"date\"},\"public_key_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_curve\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"public_key_exponent\":{\"doc_values\":false,\"index\":false,\"type\":\"long\"},\"public_key_size\":{\"type\":\"long\"},\"serial_number\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"signature_algorithm\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"subject\":{\"properties\":{\"common_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"country\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"distinguished_name\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"locality\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organization\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"organizational_unit\":{\"ignore_above\":1024,\"type\":\"keyword\"},\"state_or_province\":{\"ignore_above\":1024,\"type\":\"keyword\"}}},\"version_number\":{\"ignore_above\":1024,\"type\":\"keyword\"}}}}},\"settings\":{\"analysis\":{\"analyzer\":{\"winlogbeat_powershell_script_analyzer\":{\"pattern\":\"[\\\\W\\u0026\\u0026[^-]]+\",\"type\":\"pattern\"}}},\"index\":{\"lifecycle\":{\"name\":\"winlogbeat\"},\"mapping\":{\"total_fields\":{\"limit\":10000}},\"max_docvalue_fields_search\":200,\"number_of_shards\":1,\"query\":{\"default_field\":[\"message\",\"tags\",\"agent.ephemeral_id\",\"agent.id\",\"agent.name\",\"agent.type\",\"agent.version\",\"as.organization.name\",\"client.address\",\"client.as.organization.name\",\"client.domain\",\"client.geo.city_name\",\"client.geo.continent_name\",\"client.geo.country_iso_code\",\"client.geo.country_name\",\"client.geo.name\",\"client.geo.region_iso_code\",\"client.geo.region_name\",\"client.mac\",\"client.registered_domain\",\"client.top_level_domain\",\"client.user.domain\",\"client.user.email\",\"client.user.full_name\",\"client.user.group.domain\",\"client.user.group.id\",\"client.user.group.name\",\"client.user.hash\",\"client.user.id\",\"client.user.name\",\"cloud.account.id\",\"cloud.availability_zone\",\"cloud.instance.id\",\"cloud.instance.name\",\"cloud.machine.type\",\"cloud.provider\",\"cloud.region\",\"container.id\",\"container.image.name\",\"container.image.tag\",\"container.name\",\"container.runtime\",\"destination.address\",\"destination.as.organization.name\",\"destination.domain\",\"destination.geo.city_name\",\"destination.geo.continent_name\",\"destination.geo.country_iso_code\",\"destination.geo.country_name\",\"destination.geo.name\",\"destination.geo.region_iso_code\",\"destination.geo.region_name\",\"destination.mac\",\"destination.registered_domain\",\"destination.top_level_domain\",\"destination.user.domain\",\"destination.user.email\",\"destination.user.full_name\",\"destination.user.group.domain\",\"destination.user.group.id\",\"destination.user.group.name\",\"destination.user.hash\",\"destination.user.id\",\"destination.user.name\",\"dns.answers.class\",\"dns.answers.data\",\"dns.answers.name\",\"dns.answers.type\",\"dns.header_flags\",\"dns.id\",\"dns.op_code\",\"dns.question.class\",\"dns.question.name\",\"dns.question.registered_domain\",\"dns.question.subdomain\",\"dns.question.top_level_domain\",\"dns.question.type\",\"dns.response_code\",\"dns.type\",\"ecs.version\",\"error.code\",\"error.id\",\"error.message\",\"error.stack_trace\",\"error.type\",\"event.action\",\"event.category\",\"event.code\",\"event.dataset\",\"event.hash\",\"event.id\",\"event.kind\",\"event.module\",\"event.outcome\",\"event.provider\",\"event.timezone\",\"event.type\",\"file.device\",\"file.directory\",\"file.extension\",\"file.gid\",\"file.group\",\"file.hash.md5\",\"file.hash.sha1\",\"file.hash.sha256\",\"file.hash.sha512\",\"file.inode\",\"file.mode\",\"file.name\",\"file.owner\",\"file.path\",\"file.target_path\",\"file.type\",\"file.uid\",\"geo.city_name\",\"geo.continent_name\",\"geo.country_iso_code\",\"geo.country_name\",\"geo.name\",\"geo.region_iso_code\",\"geo.region_name\",\"group.domain\",\"group.id\",\"group.name\",\"hash.md5\",\"hash.sha1\",\"hash.sha256\",\"hash.sha512\",\"host.architecture\",\"host.geo.city_name\",\"host.geo.continent_name\",\"host.geo.country_iso_code\",\"host.geo.country_name\",\"host.geo.name\",\"host.geo.region_iso_code\",\"host.geo.region_name\",\"host.hostname\",\"host.id\",\"host.mac\",\"host.name\",\"host.os.family\",\"host.os.full\",\"host.os.kernel\",\"host.os.name\",\"host.os.platform\",\"host.os.version\",\"host.type\",\"http.request.body.content\",\"http.request.method\",\"http.request.referrer\",\"http.response.body.content\",\"http.version\",\"log.level\",\"log.logger\",\"log.origin.file.name\",\"log.origin.function\",\"log.syslog.facility.name\",\"log.syslog.severity.name\",\"network.application\",\"network.community_id\",\"network.direction\",\"network.iana_number\",\"network.name\",\"network.protocol\",\"network.transport\",\"network.type\",\"observer.geo.city_name\",\"observer.geo.continent_name\",\"observer.geo.country_iso_code\",\"observer.geo.country_name\",\"observer.geo.name\",\"observer.geo.region_iso_code\",\"observer.geo.region_name\",\"observer.hostname\",\"observer.mac\",\"observer.name\",\"observer.os.family\",\"observer.os.full\",\"observer.os.kernel\",\"observer.os.name\",\"observer.os.platform\",\"observer.os.version\",\"observer.product\",\"observer.serial_number\",\"observer.type\",\"observer.vendor\",\"observer.version\",\"organization.id\",\"organization.name\",\"os.family\",\"os.full\",\"os.kernel\",\"os.name\",\"os.platform\",\"os.version\",\"package.architecture\",\"package.checksum\",\"package.description\",\"package.install_scope\",\"package.license\",\"package.name\",\"package.path\",\"package.version\",\"process.args\",\"process.executable\",\"process.hash.md5\",\"process.hash.sha1\",\"process.hash.sha256\",\"process.hash.sha512\",\"process.name\",\"process.thread.name\",\"process.title\",\"process.working_directory\",\"server.address\",\"server.as.organization.name\",\"server.domain\",\"server.geo.city_name\",\"server.geo.continent_name\",\"server.geo.country_iso_code\",\"server.geo.country_name\",\"server.geo.name\",\"server.geo.region_iso_code\",\"server.geo.region_name\",\"server.mac\",\"server.registered_domain\",\"server.top_level_domain\",\"server.user.domain\",\"server.user.email\",\"server.user.full_name\",\"server.user.group.domain\",\"server.user.group.id\",\"server.user.group.name\",\"server.user.hash\",\"server.user.id\",\"server.user.name\",\"service.ephemeral_id\",\"service.id\",\"service.name\",\"service.node.name\",\"service.state\",\"service.type\",\"service.version\",\"source.address\",\"source.as.organization.name\",\"source.domain\",\"source.geo.city_name\",\"source.geo.continent_name\",\"source.geo.country_iso_code\",\"source.geo.country_name\",\"source.geo.name\",\"source.geo.region_iso_code\",\"source.geo.region_name\",\"source.mac\",\"source.registered_domain\",\"source.top_level_domain\",\"source.user.domain\",\"source.user.email\",\"source.user.full_name\",\"source.user.group.domain\",\"source.user.group.id\",\"source.user.group.name\",\"source.user.hash\",\"source.user.id\",\"source.user.name\",\"threat.framework\",\"threat.tactic.id\",\"threat.tactic.name\",\"threat.tactic.reference\",\"threat.technique.id\",\"threat.technique.name\",\"threat.technique.reference\",\"trace.id\",\"transaction.id\",\"url.domain\",\"url.extension\",\"url.fragment\",\"url.full\",\"url.original\",\"url.password\",\"url.path\",\"url.query\",\"url.registered_domain\",\"url.scheme\",\"url.top_level_domain\",\"url.username\",\"user.domain\",\"user.email\",\"user.full_name\",\"user.group.domain\",\"user.group.id\",\"user.group.name\",\"user.hash\",\"user.id\",\"user.name\",\"user_agent.device.name\",\"user_agent.name\",\"user_agent.original.text\",\"user_agent.original\",\"user_agent.os.family\",\"user_agent.os.full\",\"user_agent.os.kernel\",\"user_agent.os.name\",\"user_agent.os.platform\",\"user_agent.os.version\",\"user_agent.version\",\"cloud.image.id\",\"host.os.build\",\"host.os.codename\",\"kubernetes.pod.name\",\"kubernetes.pod.uid\",\"kubernetes.namespace\",\"kubernetes.node.name\",\"kubernetes.node.hostname\",\"kubernetes.replicaset.name\",\"kubernetes.deployment.name\",\"kubernetes.statefulset.name\",\"kubernetes.container.name\",\"process.owner.id\",\"process.owner.name.text\",\"process.owner.name\",\"jolokia.agent.version\",\"jolokia.agent.id\",\"jolokia.server.product\",\"jolokia.server.version\",\"jolokia.server.vendor\",\"jolokia.url\",\"fields.*\"]},\"refresh_interval\":\"5s\"}}}]","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.412+0100","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).Load","file.name":"template/load.go","file.line":134},"message":"Template with name \"winlogbeat-8.12.1\" loaded.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"debug","@timestamp":"2024-02-16T10:12:31.412+0100","log.logger":"esclientleg","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/esleg/eslegclient.(*Connection).Request","file.name":"eslegclient/connection.go","file.line":359},"message":"GET https://192.168.1.103:9200/_data_stream/winlogbeat-8.12.1 <nil>","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.414+0100","log.logger":"template_loader","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/template.(*ESLoader).Load","file.name":"template/load.go","file.line":150},"message":"Data stream with name \"winlogbeat-8.12.1\" already exists.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.416+0100","log.logger":"index-management","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/idxmgmt.(*indexManager).Setup","file.name":"idxmgmt/index_support.go","file.line":299},"message":"Loaded index template.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| Index setup finished. | |
| Loading dashboards (Kibana must be running and reachable) | |
| {"log.level":"info","@timestamp":"2024-02-16T10:12:31.417+0100","log.logger":"kibana","log.origin":{"function":"github.com/elastic/elastic-agent-libs/kibana.NewClientWithConfigDefault","file.name":"kibana/client.go","file.line":182},"message":"Kibana url: https://192.168.1.103:5601","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"warn","@timestamp":"2024-02-16T10:12:31.418+0100","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"warn","@timestamp":"2024-02-16T10:12:31.418+0100","log.logger":"tls","log.origin":{"function":"github.com/elastic/elastic-agent-libs/transport/tlscommon.(*TLSConfig).ToConfig","file.name":"tlscommon/tls_config.go","file.line":107},"message":"SSL/TLS verifications disabled.","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| {"log.level":"error","@timestamp":"2024-02-16T10:12:31.447+0100","log.origin":{"function":"github.com/elastic/beats/v7/libbeat/cmd/instance.handleError","file.name":"instance/beat.go","file.line":1312},"message":"Exiting: error connecting to Kibana: fail to get the Kibana version: fail to parse kibana version (): passed version is not semver: ","service.name":"winlogbeat","ecs.version":"1.6.0"} | |
| Exiting: error connecting to Kibana: fail to get the Kibana version: fail to parse kibana version (): passed version is not semver: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment