Created
March 21, 2023 14:02
-
-
Save nielsek/7b6ec233a1df229711054d1c4d08524c to your computer and use it in GitHub Desktop.
winlogbeat mapping
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"logstash-master-winlogbeat-rollover-000001" : { | |
"mappings" : { | |
"_meta" : { | |
"beat" : "winlogbeat", | |
"version" : "7.9.1" | |
}, | |
"dynamic_templates" : [ | |
{ | |
"labels" : { | |
"path_match" : "labels.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"container.labels" : { | |
"path_match" : "container.labels.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"dns.answers" : { | |
"path_match" : "dns.answers.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"log.syslog" : { | |
"path_match" : "log.syslog.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"network.inner" : { | |
"path_match" : "network.inner.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"observer.egress" : { | |
"path_match" : "observer.egress.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"observer.ingress" : { | |
"path_match" : "observer.ingress.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"fields" : { | |
"path_match" : "fields.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"docker.container.labels" : { | |
"path_match" : "docker.container.labels.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"kubernetes.labels.*" : { | |
"path_match" : "kubernetes.labels.*", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"kubernetes.annotations.*" : { | |
"path_match" : "kubernetes.annotations.*", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"winlog.event_data" : { | |
"path_match" : "winlog.event_data.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"winlog.user_data" : { | |
"path_match" : "winlog.user_data.*", | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
{ | |
"strings_as_keyword" : { | |
"match_mapping_type" : "string", | |
"mapping" : { | |
"ignore_above" : 1024, | |
"type" : "keyword" | |
} | |
} | |
} | |
], | |
"date_detection" : false, | |
"properties" : { | |
"@timestamp" : { | |
"type" : "date" | |
}, | |
"@version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"agent" : { | |
"properties" : { | |
"ephemeral_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"client" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"top_level_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"cloud" : { | |
"properties" : { | |
"account" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"availability_zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"image" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"instance" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"machine" : { | |
"properties" : { | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"project" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"provider" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"code_signature" : { | |
"properties" : { | |
"exists" : { | |
"type" : "boolean" | |
}, | |
"status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trusted" : { | |
"type" : "boolean" | |
}, | |
"valid" : { | |
"type" : "boolean" | |
} | |
} | |
}, | |
"container" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"image" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tag" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"labels" : { | |
"type" : "object" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"runtime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"destination" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"top_level_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"dll" : { | |
"properties" : { | |
"code_signature" : { | |
"properties" : { | |
"exists" : { | |
"type" : "boolean" | |
}, | |
"status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trusted" : { | |
"type" : "boolean" | |
}, | |
"valid" : { | |
"type" : "boolean" | |
} | |
} | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"pe" : { | |
"properties" : { | |
"company" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"file_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original_file_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"dns" : { | |
"properties" : { | |
"answers" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"data" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ttl" : { | |
"type" : "long" | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"header_flags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"op_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"question" : { | |
"properties" : { | |
"class" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subdomain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"top_level_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"resolved_ip" : { | |
"type" : "ip" | |
}, | |
"response_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"docker" : { | |
"properties" : { | |
"container" : { | |
"properties" : { | |
"labels" : { | |
"type" : "object" | |
} | |
} | |
} | |
} | |
}, | |
"ecs" : { | |
"properties" : { | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"error" : { | |
"properties" : { | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"stack_trace" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"event" : { | |
"properties" : { | |
"action" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"created" : { | |
"type" : "date" | |
}, | |
"dataset" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"duration" : { | |
"type" : "long" | |
}, | |
"end" : { | |
"type" : "date" | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ingested" : { | |
"type" : "date" | |
}, | |
"kind" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"module" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"outcome" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"provider" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reference" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"risk_score" : { | |
"type" : "float" | |
}, | |
"risk_score_norm" : { | |
"type" : "float" | |
}, | |
"sequence" : { | |
"type" : "long" | |
}, | |
"severity" : { | |
"type" : "long" | |
}, | |
"start" : { | |
"type" : "date" | |
}, | |
"timezone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"fields" : { | |
"type" : "object" | |
}, | |
"file" : { | |
"properties" : { | |
"accessed" : { | |
"type" : "date" | |
}, | |
"attributes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"code_signature" : { | |
"properties" : { | |
"exists" : { | |
"type" : "boolean" | |
}, | |
"status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trusted" : { | |
"type" : "boolean" | |
}, | |
"valid" : { | |
"type" : "boolean" | |
} | |
} | |
}, | |
"created" : { | |
"type" : "date" | |
}, | |
"ctime" : { | |
"type" : "date" | |
}, | |
"device" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"directory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"drive_letter" : { | |
"type" : "keyword", | |
"ignore_above" : 1 | |
}, | |
"extension" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"gid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"group" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"inode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mime_type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"mtime" : { | |
"type" : "date" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"owner" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"pe" : { | |
"properties" : { | |
"company" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"file_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original_file_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"size" : { | |
"type" : "long" | |
}, | |
"target_path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"host" : { | |
"properties" : { | |
"architecture" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"containerized" : { | |
"type" : "boolean" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"os" : { | |
"properties" : { | |
"build" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"codename" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uptime" : { | |
"type" : "long" | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"host-hostname" : { | |
"type" : "alias", | |
"path" : "host.hostname" | |
}, | |
"http" : { | |
"properties" : { | |
"request" : { | |
"properties" : { | |
"body" : { | |
"properties" : { | |
"bytes" : { | |
"type" : "long" | |
}, | |
"content" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"method" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"referrer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"response" : { | |
"properties" : { | |
"body" : { | |
"properties" : { | |
"bytes" : { | |
"type" : "long" | |
}, | |
"content" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"status_code" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"interface" : { | |
"properties" : { | |
"alias" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"jolokia" : { | |
"properties" : { | |
"agent" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"secured" : { | |
"type" : "boolean" | |
}, | |
"server" : { | |
"properties" : { | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vendor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"url" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"kubernetes" : { | |
"properties" : { | |
"annotations" : { | |
"properties" : { | |
"*" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"container" : { | |
"properties" : { | |
"image" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"deployment" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"labels" : { | |
"properties" : { | |
"*" : { | |
"type" : "object" | |
} | |
} | |
}, | |
"namespace" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"node" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"pod" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"replicaset" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"statefulset" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"labels" : { | |
"type" : "object" | |
}, | |
"log" : { | |
"properties" : { | |
"file" : { | |
"properties" : { | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"level" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"logger" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"origin" : { | |
"properties" : { | |
"file" : { | |
"properties" : { | |
"line" : { | |
"type" : "long" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"function" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"syslog" : { | |
"properties" : { | |
"facility" : { | |
"properties" : { | |
"code" : { | |
"type" : "long" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"priority" : { | |
"type" : "long" | |
}, | |
"severity" : { | |
"properties" : { | |
"code" : { | |
"type" : "long" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"message" : { | |
"type" : "text", | |
"norms" : false | |
}, | |
"network" : { | |
"properties" : { | |
"application" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"community_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"direction" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"forwarded_ip" : { | |
"type" : "ip" | |
}, | |
"iana_number" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"inner" : { | |
"properties" : { | |
"vlan" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"transport" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vlan" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"observer" : { | |
"properties" : { | |
"egress" : { | |
"properties" : { | |
"interface" : { | |
"properties" : { | |
"alias" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vlan" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hostname" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ingress" : { | |
"properties" : { | |
"interface" : { | |
"properties" : { | |
"alias" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vlan" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"zone" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"os" : { | |
"properties" : { | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"serial_number" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"vendor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"organization" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"os" : { | |
"properties" : { | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"package" : { | |
"properties" : { | |
"architecture" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"build_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"checksum" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"install_scope" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"installed" : { | |
"type" : "date" | |
}, | |
"license" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reference" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"size" : { | |
"type" : "long" | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"pe" : { | |
"properties" : { | |
"company" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"file_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original_file_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"process" : { | |
"properties" : { | |
"args" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"args_count" : { | |
"type" : "long" | |
}, | |
"code_signature" : { | |
"properties" : { | |
"exists" : { | |
"type" : "boolean" | |
}, | |
"status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trusted" : { | |
"type" : "boolean" | |
}, | |
"valid" : { | |
"type" : "boolean" | |
} | |
} | |
}, | |
"command_line" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"entity_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"executable" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"exit_code" : { | |
"type" : "long" | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"parent" : { | |
"properties" : { | |
"args" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"args_count" : { | |
"type" : "long" | |
}, | |
"code_signature" : { | |
"properties" : { | |
"exists" : { | |
"type" : "boolean" | |
}, | |
"status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"trusted" : { | |
"type" : "boolean" | |
}, | |
"valid" : { | |
"type" : "boolean" | |
} | |
} | |
}, | |
"command_line" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"entity_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"executable" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"exit_code" : { | |
"type" : "long" | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha512" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"pgid" : { | |
"type" : "long" | |
}, | |
"pid" : { | |
"type" : "long" | |
}, | |
"ppid" : { | |
"type" : "long" | |
}, | |
"start" : { | |
"type" : "date" | |
}, | |
"thread" : { | |
"properties" : { | |
"id" : { | |
"type" : "long" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"title" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"uptime" : { | |
"type" : "long" | |
}, | |
"working_directory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"pe" : { | |
"properties" : { | |
"company" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"file_version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original_file_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"pgid" : { | |
"type" : "long" | |
}, | |
"pid" : { | |
"type" : "long" | |
}, | |
"ppid" : { | |
"type" : "long" | |
}, | |
"start" : { | |
"type" : "date" | |
}, | |
"thread" : { | |
"properties" : { | |
"id" : { | |
"type" : "long" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"title" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"uptime" : { | |
"type" : "long" | |
}, | |
"working_directory" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"registry" : { | |
"properties" : { | |
"data" : { | |
"properties" : { | |
"bytes" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"strings" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hive" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"key" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"value" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"related" : { | |
"properties" : { | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"user" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"rule" : { | |
"properties" : { | |
"author" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"license" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reference" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ruleset" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"uuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"server" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"top_level_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"server-user-hash" : { | |
"type" : "alias", | |
"path" : "server.user.hash" | |
}, | |
"service" : { | |
"properties" : { | |
"ephemeral_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"node" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"state" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"source" : { | |
"properties" : { | |
"address" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"as" : { | |
"properties" : { | |
"number" : { | |
"type" : "long" | |
}, | |
"organization" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"bytes" : { | |
"type" : "long" | |
}, | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"geo" : { | |
"properties" : { | |
"city_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"continent_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"country_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"location" : { | |
"type" : "geo_point" | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_iso_code" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"region_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"ip" : { | |
"type" : "ip" | |
}, | |
"mac" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"nat" : { | |
"properties" : { | |
"ip" : { | |
"type" : "ip" | |
}, | |
"port" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"packets" : { | |
"type" : "long" | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"top_level_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"tags" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"threat" : { | |
"properties" : { | |
"framework" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"tactic" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reference" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"technique" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"reference" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"timeseries" : { | |
"properties" : { | |
"instance" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"timestamp" : { | |
"type" : "alias", | |
"path" : "@timestamp" | |
}, | |
"tls" : { | |
"properties" : { | |
"cipher" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"client" : { | |
"properties" : { | |
"certificate" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"certificate_chain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"issuer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ja3" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"not_after" : { | |
"type" : "date" | |
}, | |
"not_before" : { | |
"type" : "date" | |
}, | |
"server_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"subject" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"supported_ciphers" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"curve" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"established" : { | |
"type" : "boolean" | |
}, | |
"next_protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"resumed" : { | |
"type" : "boolean" | |
}, | |
"server" : { | |
"properties" : { | |
"certificate" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"certificate_chain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"hash" : { | |
"properties" : { | |
"md5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"sha256" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"issuer" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ja3s" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"not_after" : { | |
"type" : "date" | |
}, | |
"not_before" : { | |
"type" : "date" | |
}, | |
"subject" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version_protocol" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"trace" : { | |
"properties" : { | |
"logging" : { | |
"properties" : { | |
"chain" : { | |
"properties" : { | |
"field_latest" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"field_origin" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"field_transit" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"lag_origin" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"site" : { | |
"properties" : { | |
"created" : { | |
"type" : "date" | |
}, | |
"origin" : { | |
"type" : "date" | |
}, | |
"processed" : { | |
"type" : "date" | |
} | |
} | |
} | |
} | |
} | |
} | |
}, | |
"tracing" : { | |
"properties" : { | |
"trace" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"transaction" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
} | |
} | |
}, | |
"url" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"extension" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"fragment" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"password" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"port" : { | |
"type" : "long" | |
}, | |
"query" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"registered_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"scheme" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"top_level_domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"username" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"email" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"group" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"hash" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
} | |
} | |
}, | |
"user_agent" : { | |
"properties" : { | |
"device" : { | |
"properties" : { | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"original" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"os" : { | |
"properties" : { | |
"family" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"full" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"kernel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"platform" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vlan" : { | |
"properties" : { | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"vulnerability" : { | |
"properties" : { | |
"category" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"classification" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024, | |
"fields" : { | |
"text" : { | |
"type" : "text", | |
"norms" : false | |
} | |
} | |
}, | |
"enumeration" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"reference" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"report_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"scanner" : { | |
"properties" : { | |
"vendor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"score" : { | |
"properties" : { | |
"base" : { | |
"type" : "float" | |
}, | |
"environmental" : { | |
"type" : "float" | |
}, | |
"temporal" : { | |
"type" : "float" | |
}, | |
"version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"severity" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"windows-message" : { | |
"type" : "alias", | |
"path" : "event.original" | |
}, | |
"winlog" : { | |
"properties" : { | |
"activity_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"api" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"channel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"computer_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"event_data" : { | |
"properties" : { | |
"AccessList" : { | |
"type" : "keyword" | |
}, | |
"AccessMask" : { | |
"type" : "keyword" | |
}, | |
"AccountDomain" : { | |
"type" : "keyword" | |
}, | |
"AccountName" : { | |
"type" : "keyword" | |
}, | |
"AdditionalInfo" : { | |
"type" : "keyword" | |
}, | |
"AdditionalInfo2" : { | |
"type" : "keyword" | |
}, | |
"AlgorithmName" : { | |
"type" : "keyword" | |
}, | |
"AppPoolID" : { | |
"type" : "keyword" | |
}, | |
"Attributes" : { | |
"type" : "keyword" | |
}, | |
"AuthenticationPackageName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Binary" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"BitlockerUserInputTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"BootMode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"BootType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"BuildVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"CRLNumber" : { | |
"type" : "keyword" | |
}, | |
"CallerProcessId" : { | |
"type" : "keyword" | |
}, | |
"CallerProcessName" : { | |
"type" : "keyword" | |
}, | |
"ClassId" : { | |
"type" : "keyword" | |
}, | |
"ClassName" : { | |
"type" : "keyword" | |
}, | |
"ClientAddress" : { | |
"type" : "keyword" | |
}, | |
"ClientCreationTime" : { | |
"type" : "keyword" | |
}, | |
"ClientName" : { | |
"type" : "keyword" | |
}, | |
"ClientProcessId" : { | |
"type" : "keyword" | |
}, | |
"ClientProcessStartKey" : { | |
"type" : "keyword" | |
}, | |
"CommandLine" : { | |
"type" : "keyword" | |
}, | |
"Company" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"CompatibleIds" : { | |
"type" : "keyword" | |
}, | |
"CorruptionActionState" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"CountOfCredentialsReturned" : { | |
"type" : "keyword" | |
}, | |
"CreationUtcTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DCDNSName" : { | |
"type" : "keyword" | |
}, | |
"Description" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DestinationDRA" : { | |
"type" : "keyword" | |
}, | |
"Detail" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DeviceDescription" : { | |
"type" : "keyword" | |
}, | |
"DeviceId" : { | |
"type" : "keyword" | |
}, | |
"DeviceName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DeviceNameLength" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DeviceTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DeviceVersionMajor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DeviceVersionMinor" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Disposition" : { | |
"type" : "keyword" | |
}, | |
"DriveName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DriverName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DriverNameLength" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"DwordVal" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ElevatedToken" : { | |
"type" : "keyword" | |
}, | |
"EndUSN" : { | |
"type" : "keyword" | |
}, | |
"EntryCount" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"EventCountTotal" : { | |
"type" : "keyword" | |
}, | |
"EventIdx" : { | |
"type" : "keyword" | |
}, | |
"ExtraInfo" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"FQDN" : { | |
"type" : "keyword" | |
}, | |
"FailureName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"FailureNameLength" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"FileVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"FinalStatus" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Group" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"GroupMembership" : { | |
"type" : "keyword" | |
}, | |
"HandleId" : { | |
"type" : "keyword" | |
}, | |
"IdleImplementation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IdleStateCount" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ImpersonationLevel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IntegrityLevel" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IpAddress" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IpPort" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"IsBaseCRL" : { | |
"type" : "keyword" | |
}, | |
"KeyContainer" : { | |
"type" : "keyword" | |
}, | |
"KeyFilePath" : { | |
"type" : "keyword" | |
}, | |
"KeyLength" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"KeyName" : { | |
"type" : "keyword" | |
}, | |
"KeyType" : { | |
"type" : "keyword" | |
}, | |
"LastBootGood" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"LastShutdownGood" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"LmPackageName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"LocationInformation" : { | |
"type" : "keyword" | |
}, | |
"LogonGuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"LogonID" : { | |
"type" : "keyword" | |
}, | |
"LogonId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"LogonProcessName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"LogonType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MajorVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MandatoryLabel" : { | |
"type" : "keyword" | |
}, | |
"MaximumPerformancePercent" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MemberName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MemberSid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MinimumPerformancePercent" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MinimumThrottlePercent" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"MinorVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Minutes" : { | |
"type" : "keyword" | |
}, | |
"NamingContext" : { | |
"type" : "keyword" | |
}, | |
"NewProcessId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"NewProcessName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"NewSchemeGuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"NewSd" : { | |
"type" : "keyword" | |
}, | |
"NewTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"NextPublish" : { | |
"type" : "keyword" | |
}, | |
"NominalFrequency" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Number" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ObjectName" : { | |
"type" : "keyword" | |
}, | |
"ObjectServer" : { | |
"type" : "keyword" | |
}, | |
"ObjectType" : { | |
"type" : "keyword" | |
}, | |
"OldSchemeGuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"OldSd" : { | |
"type" : "keyword" | |
}, | |
"OldTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Operation" : { | |
"type" : "keyword" | |
}, | |
"OperationType" : { | |
"type" : "keyword" | |
}, | |
"Options" : { | |
"type" : "keyword" | |
}, | |
"OriginalFileName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PackageName" : { | |
"type" : "keyword" | |
}, | |
"ParentProcessId" : { | |
"type" : "keyword" | |
}, | |
"ParentProcessName" : { | |
"type" : "keyword" | |
}, | |
"Path" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PerformanceImplementation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PolicyModuleDescription" : { | |
"type" : "keyword" | |
}, | |
"PreAuthType" : { | |
"type" : "keyword" | |
}, | |
"PreviousCreationUtcTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PreviousTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PrivilegeList" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ProcessCreationTime" : { | |
"type" : "keyword" | |
}, | |
"ProcessID" : { | |
"type" : "keyword" | |
}, | |
"ProcessId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ProcessName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ProcessPath" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ProcessPid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Product" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ProfileChanged" : { | |
"type" : "keyword" | |
}, | |
"Properties" : { | |
"type" : "keyword" | |
}, | |
"ProviderName" : { | |
"type" : "keyword" | |
}, | |
"PuaCount" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PuaPolicyId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"PublishURLs" : { | |
"type" : "keyword" | |
}, | |
"QfeVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ReadOperation" : { | |
"type" : "keyword" | |
}, | |
"Reason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"RequestId" : { | |
"type" : "keyword" | |
}, | |
"Requester" : { | |
"type" : "keyword" | |
}, | |
"RestrictedAdminMode" : { | |
"type" : "keyword" | |
}, | |
"ReturnCode" : { | |
"type" : "keyword" | |
}, | |
"RpcCallClientLocality" : { | |
"type" : "keyword" | |
}, | |
"RuleId" : { | |
"type" : "keyword" | |
}, | |
"RuleName" : { | |
"type" : "keyword" | |
}, | |
"SchemaVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ScriptBlockText" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SecurityDescriptor" : { | |
"type" : "keyword" | |
}, | |
"Service" : { | |
"type" : "keyword" | |
}, | |
"ServiceAccount" : { | |
"type" : "keyword" | |
}, | |
"ServiceFileName" : { | |
"type" : "keyword" | |
}, | |
"ServiceName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ServiceSid" : { | |
"type" : "keyword" | |
}, | |
"ServiceStartType" : { | |
"type" : "keyword" | |
}, | |
"ServiceType" : { | |
"type" : "keyword" | |
}, | |
"ServiceVersion" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SessionID" : { | |
"type" : "keyword" | |
}, | |
"SessionId" : { | |
"type" : "keyword" | |
}, | |
"SessionName" : { | |
"type" : "keyword" | |
}, | |
"ShareLocalPath" : { | |
"type" : "keyword" | |
}, | |
"ShareName" : { | |
"type" : "keyword" | |
}, | |
"ShutdownActionType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ShutdownEventCode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"ShutdownReason" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Signature" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SignatureStatus" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Signed" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SourceDRA" : { | |
"type" : "keyword" | |
}, | |
"StartTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"StartUSN" : { | |
"type" : "keyword" | |
}, | |
"State" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Status" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"StatusCode" : { | |
"type" : "keyword" | |
}, | |
"StopTime" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Subject" : { | |
"type" : "keyword" | |
}, | |
"SubjectDomainName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SubjectKeyIdentifier" : { | |
"type" : "keyword" | |
}, | |
"SubjectLogonId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SubjectUserName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"SubjectUserSid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TSId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetDomainName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetInfo" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetLinkedLogonId" : { | |
"type" : "keyword" | |
}, | |
"TargetLogonGuid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetLogonId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetName" : { | |
"type" : "keyword" | |
}, | |
"TargetOutboundDomainName" : { | |
"type" : "keyword" | |
}, | |
"TargetOutboundUserName" : { | |
"type" : "keyword" | |
}, | |
"TargetServerName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetSid" : { | |
"type" : "keyword" | |
}, | |
"TargetUserName" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TargetUserSid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TaskContent" : { | |
"type" : "keyword" | |
}, | |
"TaskContentNew" : { | |
"type" : "keyword" | |
}, | |
"TaskName" : { | |
"type" : "keyword" | |
}, | |
"TemplateContent" : { | |
"type" : "keyword" | |
}, | |
"TemplateDSObjectFQDN" : { | |
"type" : "keyword" | |
}, | |
"TemplateInternalName" : { | |
"type" : "keyword" | |
}, | |
"TemplateOID" : { | |
"type" : "keyword" | |
}, | |
"TemplateSchemaVersion" : { | |
"type" : "keyword" | |
}, | |
"TemplateVersion" : { | |
"type" : "keyword" | |
}, | |
"TerminalSessionId" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TicketEncryptionType" : { | |
"type" : "keyword" | |
}, | |
"TicketOptions" : { | |
"type" : "keyword" | |
}, | |
"TimeRemainingToSetLocalClockFreeRunningSeconds" : { | |
"type" : "keyword" | |
}, | |
"TokenElevationType" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"TransmittedServices" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"Type" : { | |
"type" : "keyword" | |
}, | |
"UnsynchronizedTimeSeconds" : { | |
"type" : "keyword" | |
}, | |
"UserSid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"VendorIds" : { | |
"type" : "keyword" | |
}, | |
"Version" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"VirtualAccount" : { | |
"type" : "keyword" | |
}, | |
"WarningMessage" : { | |
"type" : "keyword" | |
}, | |
"Workstation" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"WorkstationName" : { | |
"type" : "keyword" | |
}, | |
"param1" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param10" : { | |
"type" : "keyword" | |
}, | |
"param11" : { | |
"type" : "keyword" | |
}, | |
"param12" : { | |
"type" : "keyword" | |
}, | |
"param13" : { | |
"type" : "keyword" | |
}, | |
"param16" : { | |
"type" : "keyword" | |
}, | |
"param17" : { | |
"type" : "keyword" | |
}, | |
"param19" : { | |
"type" : "keyword" | |
}, | |
"param2" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param20" : { | |
"type" : "keyword" | |
}, | |
"param21" : { | |
"type" : "keyword" | |
}, | |
"param23" : { | |
"type" : "keyword" | |
}, | |
"param3" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param4" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param5" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param6" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param7" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param8" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"param9" : { | |
"type" : "keyword" | |
} | |
} | |
}, | |
"event_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"keywords" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"opcode" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"process" : { | |
"properties" : { | |
"pid" : { | |
"type" : "long" | |
}, | |
"thread" : { | |
"properties" : { | |
"id" : { | |
"type" : "long" | |
} | |
} | |
} | |
} | |
}, | |
"provider_guid" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"provider_name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"record_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"related_activity_id" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"task" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"user" : { | |
"properties" : { | |
"domain" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"identifier" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"name" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
}, | |
"type" : { | |
"type" : "keyword", | |
"ignore_above" : 1024 | |
} | |
} | |
}, | |
"user_data" : { | |
"type" : "object" | |
}, | |
"version" : { | |
"type" : "long" | |
} | |
} | |
}, | |
"winlog-channel" : { | |
"type" : "alias", | |
"path" : "winlog.channel" | |
}, | |
"winlog-computerObject-name" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.ObjectName" | |
}, | |
"winlog-computer_name" : { | |
"type" : "alias", | |
"path" : "winlog.computer_name" | |
}, | |
"winlog-event_data-AuthenticationPackageName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.AuthenticationPackageName" | |
}, | |
"winlog-event_data-Company" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Company" | |
}, | |
"winlog-event_data-Description" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Description" | |
}, | |
"winlog-event_data-Detail" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Detail" | |
}, | |
"winlog-event_data-DeviceName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.DeviceName" | |
}, | |
"winlog-event_data-FileVersion" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.FileVersion" | |
}, | |
"winlog-event_data-IntegrityLevel" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.IntegrityLevel" | |
}, | |
"winlog-event_data-IpAddress" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.IpAddress" | |
}, | |
"winlog-event_data-KeyLength" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.KeyLength" | |
}, | |
"winlog-event_data-LogonId" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.LogonId" | |
}, | |
"winlog-event_data-LogonProcessName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.LogonProcessName" | |
}, | |
"winlog-event_data-LogonType" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.LogonType" | |
}, | |
"winlog-event_data-OriginalFileName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.OriginalFileName" | |
}, | |
"winlog-event_data-Path" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Path" | |
}, | |
"winlog-event_data-PrivilegeList" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.PrivilegeList" | |
}, | |
"winlog-event_data-ProcessId" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.ProcessId" | |
}, | |
"winlog-event_data-ProcessName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.ProcessName" | |
}, | |
"winlog-event_data-ProcessPath" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.ProcessPath" | |
}, | |
"winlog-event_data-Product" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Product" | |
}, | |
"winlog-event_data-ScriptBlockText" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.ScriptBlockText" | |
}, | |
"winlog-event_data-ServiceName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.ServiceName" | |
}, | |
"winlog-event_data-Signed" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Signed" | |
}, | |
"winlog-event_data-State" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.State" | |
}, | |
"winlog-event_data-Status" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Status" | |
}, | |
"winlog-event_data-SubjectDomainName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.SubjectDomainName" | |
}, | |
"winlog-event_data-SubjectLogonId" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.SubjectLogonId" | |
}, | |
"winlog-event_data-SubjectUserName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.SubjectUserName" | |
}, | |
"winlog-event_data-SubjectUserSid" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.SubjectUserSid" | |
}, | |
"winlog-event_data-TargetLogonId" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.TargetLogonId" | |
}, | |
"winlog-event_data-TargetServerName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.TargetServerName" | |
}, | |
"winlog-event_data-TargetUserName" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.TargetUserName" | |
}, | |
"winlog-event_data-TargetUserSid" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.TargetUserSid" | |
}, | |
"winlog-event_data-Workstation" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.Workstation" | |
}, | |
"winlog-event_data-param1" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.param1" | |
}, | |
"winlog-event_data-param2" : { | |
"type" : "alias", | |
"path" : "winlog.event_data.param2" | |
}, | |
"winlog-event_id" : { | |
"type" : "alias", | |
"path" : "winlog.event_id" | |
}, | |
"winlog-keywords" : { | |
"type" : "alias", | |
"path" : "winlog.keywords" | |
}, | |
"winlog-provider_name" : { | |
"type" : "alias", | |
"path" : "winlog.provider_name" | |
}, | |
"winlog-task" : { | |
"type" : "alias", | |
"path" : "winlog.task" | |
}, | |
"winlog-user-name" : { | |
"type" : "alias", | |
"path" : "winlog.user.name" | |
}, | |
"winlog-user-type" : { | |
"type" : "alias", | |
"path" : "winlog.user.type" | |
} | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment