Created
March 21, 2023 14:02
-
-
Save nielsek/7b6ec233a1df229711054d1c4d08524c to your computer and use it in GitHub Desktop.
winlogbeat mapping
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "logstash-master-winlogbeat-rollover-000001" : { | |
| "mappings" : { | |
| "_meta" : { | |
| "beat" : "winlogbeat", | |
| "version" : "7.9.1" | |
| }, | |
| "dynamic_templates" : [ | |
| { | |
| "labels" : { | |
| "path_match" : "labels.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "container.labels" : { | |
| "path_match" : "container.labels.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "dns.answers" : { | |
| "path_match" : "dns.answers.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "log.syslog" : { | |
| "path_match" : "log.syslog.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "network.inner" : { | |
| "path_match" : "network.inner.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "observer.egress" : { | |
| "path_match" : "observer.egress.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "observer.ingress" : { | |
| "path_match" : "observer.ingress.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "fields" : { | |
| "path_match" : "fields.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "docker.container.labels" : { | |
| "path_match" : "docker.container.labels.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "kubernetes.labels.*" : { | |
| "path_match" : "kubernetes.labels.*", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "kubernetes.annotations.*" : { | |
| "path_match" : "kubernetes.annotations.*", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "winlog.event_data" : { | |
| "path_match" : "winlog.event_data.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "winlog.user_data" : { | |
| "path_match" : "winlog.user_data.*", | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| { | |
| "strings_as_keyword" : { | |
| "match_mapping_type" : "string", | |
| "mapping" : { | |
| "ignore_above" : 1024, | |
| "type" : "keyword" | |
| } | |
| } | |
| } | |
| ], | |
| "date_detection" : false, | |
| "properties" : { | |
| "@timestamp" : { | |
| "type" : "date" | |
| }, | |
| "@version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "agent" : { | |
| "properties" : { | |
| "ephemeral_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "hostname" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "as" : { | |
| "properties" : { | |
| "number" : { | |
| "type" : "long" | |
| }, | |
| "organization" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "client" : { | |
| "properties" : { | |
| "address" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "as" : { | |
| "properties" : { | |
| "number" : { | |
| "type" : "long" | |
| }, | |
| "organization" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "mac" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "nat" : { | |
| "properties" : { | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "packets" : { | |
| "type" : "long" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| }, | |
| "registered_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "top_level_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "email" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "cloud" : { | |
| "properties" : { | |
| "account" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "availability_zone" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "image" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "instance" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "machine" : { | |
| "properties" : { | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "project" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "provider" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "code_signature" : { | |
| "properties" : { | |
| "exists" : { | |
| "type" : "boolean" | |
| }, | |
| "status" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subject_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "trusted" : { | |
| "type" : "boolean" | |
| }, | |
| "valid" : { | |
| "type" : "boolean" | |
| } | |
| } | |
| }, | |
| "container" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "image" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "tag" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "labels" : { | |
| "type" : "object" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "runtime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "destination" : { | |
| "properties" : { | |
| "address" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "as" : { | |
| "properties" : { | |
| "number" : { | |
| "type" : "long" | |
| }, | |
| "organization" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "mac" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "nat" : { | |
| "properties" : { | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "packets" : { | |
| "type" : "long" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| }, | |
| "registered_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "top_level_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "email" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "dll" : { | |
| "properties" : { | |
| "code_signature" : { | |
| "properties" : { | |
| "exists" : { | |
| "type" : "boolean" | |
| }, | |
| "status" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subject_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "trusted" : { | |
| "type" : "boolean" | |
| }, | |
| "valid" : { | |
| "type" : "boolean" | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha512" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "pe" : { | |
| "properties" : { | |
| "company" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "file_version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "original_file_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "dns" : { | |
| "properties" : { | |
| "answers" : { | |
| "properties" : { | |
| "class" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "data" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ttl" : { | |
| "type" : "long" | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "header_flags" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "op_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "question" : { | |
| "properties" : { | |
| "class" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "registered_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subdomain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "top_level_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "resolved_ip" : { | |
| "type" : "ip" | |
| }, | |
| "response_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "docker" : { | |
| "properties" : { | |
| "container" : { | |
| "properties" : { | |
| "labels" : { | |
| "type" : "object" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "ecs" : { | |
| "properties" : { | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "error" : { | |
| "properties" : { | |
| "code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "message" : { | |
| "type" : "text", | |
| "norms" : false | |
| }, | |
| "stack_trace" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "event" : { | |
| "properties" : { | |
| "action" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "category" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "created" : { | |
| "type" : "date" | |
| }, | |
| "dataset" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "duration" : { | |
| "type" : "long" | |
| }, | |
| "end" : { | |
| "type" : "date" | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ingested" : { | |
| "type" : "date" | |
| }, | |
| "kind" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "module" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "original" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "outcome" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "provider" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "reference" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "risk_score" : { | |
| "type" : "float" | |
| }, | |
| "risk_score_norm" : { | |
| "type" : "float" | |
| }, | |
| "sequence" : { | |
| "type" : "long" | |
| }, | |
| "severity" : { | |
| "type" : "long" | |
| }, | |
| "start" : { | |
| "type" : "date" | |
| }, | |
| "timezone" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "url" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "fields" : { | |
| "type" : "object" | |
| }, | |
| "file" : { | |
| "properties" : { | |
| "accessed" : { | |
| "type" : "date" | |
| }, | |
| "attributes" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "code_signature" : { | |
| "properties" : { | |
| "exists" : { | |
| "type" : "boolean" | |
| }, | |
| "status" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subject_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "trusted" : { | |
| "type" : "boolean" | |
| }, | |
| "valid" : { | |
| "type" : "boolean" | |
| } | |
| } | |
| }, | |
| "created" : { | |
| "type" : "date" | |
| }, | |
| "ctime" : { | |
| "type" : "date" | |
| }, | |
| "device" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "directory" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "drive_letter" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1 | |
| }, | |
| "extension" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "gid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "group" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha512" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "inode" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "mime_type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "mode" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "mtime" : { | |
| "type" : "date" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "owner" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "pe" : { | |
| "properties" : { | |
| "company" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "file_version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "original_file_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "size" : { | |
| "type" : "long" | |
| }, | |
| "target_path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "uid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha512" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "host" : { | |
| "properties" : { | |
| "architecture" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "containerized" : { | |
| "type" : "boolean" | |
| }, | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hostname" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "mac" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "os" : { | |
| "properties" : { | |
| "build" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "codename" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "family" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "kernel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "platform" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "uptime" : { | |
| "type" : "long" | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "email" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "host-hostname" : { | |
| "type" : "alias", | |
| "path" : "host.hostname" | |
| }, | |
| "http" : { | |
| "properties" : { | |
| "request" : { | |
| "properties" : { | |
| "body" : { | |
| "properties" : { | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "content" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "method" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "referrer" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "response" : { | |
| "properties" : { | |
| "body" : { | |
| "properties" : { | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "content" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "status_code" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "interface" : { | |
| "properties" : { | |
| "alias" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "jolokia" : { | |
| "properties" : { | |
| "agent" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "secured" : { | |
| "type" : "boolean" | |
| }, | |
| "server" : { | |
| "properties" : { | |
| "product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "vendor" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "url" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "kubernetes" : { | |
| "properties" : { | |
| "annotations" : { | |
| "properties" : { | |
| "*" : { | |
| "type" : "object" | |
| } | |
| } | |
| }, | |
| "container" : { | |
| "properties" : { | |
| "image" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "deployment" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "labels" : { | |
| "properties" : { | |
| "*" : { | |
| "type" : "object" | |
| } | |
| } | |
| }, | |
| "namespace" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "node" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "pod" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "uid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "replicaset" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "statefulset" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "labels" : { | |
| "type" : "object" | |
| }, | |
| "log" : { | |
| "properties" : { | |
| "file" : { | |
| "properties" : { | |
| "path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "level" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "logger" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "origin" : { | |
| "properties" : { | |
| "file" : { | |
| "properties" : { | |
| "line" : { | |
| "type" : "long" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "function" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "original" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "syslog" : { | |
| "properties" : { | |
| "facility" : { | |
| "properties" : { | |
| "code" : { | |
| "type" : "long" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "priority" : { | |
| "type" : "long" | |
| }, | |
| "severity" : { | |
| "properties" : { | |
| "code" : { | |
| "type" : "long" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "message" : { | |
| "type" : "text", | |
| "norms" : false | |
| }, | |
| "network" : { | |
| "properties" : { | |
| "application" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "community_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "direction" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "forwarded_ip" : { | |
| "type" : "ip" | |
| }, | |
| "iana_number" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "inner" : { | |
| "properties" : { | |
| "vlan" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "packets" : { | |
| "type" : "long" | |
| }, | |
| "protocol" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "transport" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "vlan" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "observer" : { | |
| "properties" : { | |
| "egress" : { | |
| "properties" : { | |
| "interface" : { | |
| "properties" : { | |
| "alias" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "vlan" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "zone" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hostname" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ingress" : { | |
| "properties" : { | |
| "interface" : { | |
| "properties" : { | |
| "alias" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "vlan" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "zone" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "mac" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "os" : { | |
| "properties" : { | |
| "family" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "kernel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "platform" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "serial_number" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "vendor" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "organization" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "os" : { | |
| "properties" : { | |
| "family" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "kernel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "platform" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "package" : { | |
| "properties" : { | |
| "architecture" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "build_version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "checksum" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "install_scope" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "installed" : { | |
| "type" : "date" | |
| }, | |
| "license" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "reference" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "size" : { | |
| "type" : "long" | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "pe" : { | |
| "properties" : { | |
| "company" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "file_version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "original_file_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "process" : { | |
| "properties" : { | |
| "args" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "args_count" : { | |
| "type" : "long" | |
| }, | |
| "code_signature" : { | |
| "properties" : { | |
| "exists" : { | |
| "type" : "boolean" | |
| }, | |
| "status" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subject_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "trusted" : { | |
| "type" : "boolean" | |
| }, | |
| "valid" : { | |
| "type" : "boolean" | |
| } | |
| } | |
| }, | |
| "command_line" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "entity_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "executable" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "exit_code" : { | |
| "type" : "long" | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha512" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "parent" : { | |
| "properties" : { | |
| "args" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "args_count" : { | |
| "type" : "long" | |
| }, | |
| "code_signature" : { | |
| "properties" : { | |
| "exists" : { | |
| "type" : "boolean" | |
| }, | |
| "status" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subject_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "trusted" : { | |
| "type" : "boolean" | |
| }, | |
| "valid" : { | |
| "type" : "boolean" | |
| } | |
| } | |
| }, | |
| "command_line" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "entity_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "executable" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "exit_code" : { | |
| "type" : "long" | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha512" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "pgid" : { | |
| "type" : "long" | |
| }, | |
| "pid" : { | |
| "type" : "long" | |
| }, | |
| "ppid" : { | |
| "type" : "long" | |
| }, | |
| "start" : { | |
| "type" : "date" | |
| }, | |
| "thread" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "long" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "title" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "uptime" : { | |
| "type" : "long" | |
| }, | |
| "working_directory" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "pe" : { | |
| "properties" : { | |
| "company" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "file_version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "original_file_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "pgid" : { | |
| "type" : "long" | |
| }, | |
| "pid" : { | |
| "type" : "long" | |
| }, | |
| "ppid" : { | |
| "type" : "long" | |
| }, | |
| "start" : { | |
| "type" : "date" | |
| }, | |
| "thread" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "long" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "title" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "uptime" : { | |
| "type" : "long" | |
| }, | |
| "working_directory" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "registry" : { | |
| "properties" : { | |
| "data" : { | |
| "properties" : { | |
| "bytes" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "strings" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hive" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "key" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "value" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "related" : { | |
| "properties" : { | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "user" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "rule" : { | |
| "properties" : { | |
| "author" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "category" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "license" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "reference" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ruleset" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "uuid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "server" : { | |
| "properties" : { | |
| "address" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "as" : { | |
| "properties" : { | |
| "number" : { | |
| "type" : "long" | |
| }, | |
| "organization" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "mac" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "nat" : { | |
| "properties" : { | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "packets" : { | |
| "type" : "long" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| }, | |
| "registered_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "top_level_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "email" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "server-user-hash" : { | |
| "type" : "alias", | |
| "path" : "server.user.hash" | |
| }, | |
| "service" : { | |
| "properties" : { | |
| "ephemeral_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "node" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "state" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "source" : { | |
| "properties" : { | |
| "address" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "as" : { | |
| "properties" : { | |
| "number" : { | |
| "type" : "long" | |
| }, | |
| "organization" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "bytes" : { | |
| "type" : "long" | |
| }, | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "geo" : { | |
| "properties" : { | |
| "city_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "continent_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "country_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "location" : { | |
| "type" : "geo_point" | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_iso_code" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "region_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "mac" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "nat" : { | |
| "properties" : { | |
| "ip" : { | |
| "type" : "ip" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "packets" : { | |
| "type" : "long" | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| }, | |
| "registered_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "top_level_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "email" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "tags" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "threat" : { | |
| "properties" : { | |
| "framework" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "tactic" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "reference" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "technique" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "reference" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "timeseries" : { | |
| "properties" : { | |
| "instance" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "timestamp" : { | |
| "type" : "alias", | |
| "path" : "@timestamp" | |
| }, | |
| "tls" : { | |
| "properties" : { | |
| "cipher" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "client" : { | |
| "properties" : { | |
| "certificate" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "certificate_chain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "issuer" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ja3" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "not_after" : { | |
| "type" : "date" | |
| }, | |
| "not_before" : { | |
| "type" : "date" | |
| }, | |
| "server_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "subject" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "supported_ciphers" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "curve" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "established" : { | |
| "type" : "boolean" | |
| }, | |
| "next_protocol" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "resumed" : { | |
| "type" : "boolean" | |
| }, | |
| "server" : { | |
| "properties" : { | |
| "certificate" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "certificate_chain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "hash" : { | |
| "properties" : { | |
| "md5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "sha256" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "issuer" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ja3s" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "not_after" : { | |
| "type" : "date" | |
| }, | |
| "not_before" : { | |
| "type" : "date" | |
| }, | |
| "subject" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version_protocol" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "trace" : { | |
| "properties" : { | |
| "logging" : { | |
| "properties" : { | |
| "chain" : { | |
| "properties" : { | |
| "field_latest" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "field_origin" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "field_transit" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "lag_origin" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "site" : { | |
| "properties" : { | |
| "created" : { | |
| "type" : "date" | |
| }, | |
| "origin" : { | |
| "type" : "date" | |
| }, | |
| "processed" : { | |
| "type" : "date" | |
| } | |
| } | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "tracing" : { | |
| "properties" : { | |
| "trace" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "transaction" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "url" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "extension" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "fragment" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "original" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "password" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "port" : { | |
| "type" : "long" | |
| }, | |
| "query" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "registered_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "scheme" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "top_level_domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "username" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "email" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "group" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "hash" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "user_agent" : { | |
| "properties" : { | |
| "device" : { | |
| "properties" : { | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "original" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "os" : { | |
| "properties" : { | |
| "family" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "full" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "kernel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "platform" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "vlan" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "vulnerability" : { | |
| "properties" : { | |
| "category" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "classification" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024, | |
| "fields" : { | |
| "text" : { | |
| "type" : "text", | |
| "norms" : false | |
| } | |
| } | |
| }, | |
| "enumeration" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "reference" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "report_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "scanner" : { | |
| "properties" : { | |
| "vendor" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "score" : { | |
| "properties" : { | |
| "base" : { | |
| "type" : "float" | |
| }, | |
| "environmental" : { | |
| "type" : "float" | |
| }, | |
| "temporal" : { | |
| "type" : "float" | |
| }, | |
| "version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "severity" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "windows-message" : { | |
| "type" : "alias", | |
| "path" : "event.original" | |
| }, | |
| "winlog" : { | |
| "properties" : { | |
| "activity_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "api" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "channel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "computer_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "event_data" : { | |
| "properties" : { | |
| "AccessList" : { | |
| "type" : "keyword" | |
| }, | |
| "AccessMask" : { | |
| "type" : "keyword" | |
| }, | |
| "AccountDomain" : { | |
| "type" : "keyword" | |
| }, | |
| "AccountName" : { | |
| "type" : "keyword" | |
| }, | |
| "AdditionalInfo" : { | |
| "type" : "keyword" | |
| }, | |
| "AdditionalInfo2" : { | |
| "type" : "keyword" | |
| }, | |
| "AlgorithmName" : { | |
| "type" : "keyword" | |
| }, | |
| "AppPoolID" : { | |
| "type" : "keyword" | |
| }, | |
| "Attributes" : { | |
| "type" : "keyword" | |
| }, | |
| "AuthenticationPackageName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Binary" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "BitlockerUserInputTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "BootMode" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "BootType" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "BuildVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "CRLNumber" : { | |
| "type" : "keyword" | |
| }, | |
| "CallerProcessId" : { | |
| "type" : "keyword" | |
| }, | |
| "CallerProcessName" : { | |
| "type" : "keyword" | |
| }, | |
| "ClassId" : { | |
| "type" : "keyword" | |
| }, | |
| "ClassName" : { | |
| "type" : "keyword" | |
| }, | |
| "ClientAddress" : { | |
| "type" : "keyword" | |
| }, | |
| "ClientCreationTime" : { | |
| "type" : "keyword" | |
| }, | |
| "ClientName" : { | |
| "type" : "keyword" | |
| }, | |
| "ClientProcessId" : { | |
| "type" : "keyword" | |
| }, | |
| "ClientProcessStartKey" : { | |
| "type" : "keyword" | |
| }, | |
| "CommandLine" : { | |
| "type" : "keyword" | |
| }, | |
| "Company" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "CompatibleIds" : { | |
| "type" : "keyword" | |
| }, | |
| "CorruptionActionState" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "CountOfCredentialsReturned" : { | |
| "type" : "keyword" | |
| }, | |
| "CreationUtcTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DCDNSName" : { | |
| "type" : "keyword" | |
| }, | |
| "Description" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DestinationDRA" : { | |
| "type" : "keyword" | |
| }, | |
| "Detail" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DeviceDescription" : { | |
| "type" : "keyword" | |
| }, | |
| "DeviceId" : { | |
| "type" : "keyword" | |
| }, | |
| "DeviceName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DeviceNameLength" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DeviceTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DeviceVersionMajor" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DeviceVersionMinor" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Disposition" : { | |
| "type" : "keyword" | |
| }, | |
| "DriveName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DriverName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DriverNameLength" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "DwordVal" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ElevatedToken" : { | |
| "type" : "keyword" | |
| }, | |
| "EndUSN" : { | |
| "type" : "keyword" | |
| }, | |
| "EntryCount" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "EventCountTotal" : { | |
| "type" : "keyword" | |
| }, | |
| "EventIdx" : { | |
| "type" : "keyword" | |
| }, | |
| "ExtraInfo" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "FQDN" : { | |
| "type" : "keyword" | |
| }, | |
| "FailureName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "FailureNameLength" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "FileVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "FinalStatus" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Group" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "GroupMembership" : { | |
| "type" : "keyword" | |
| }, | |
| "HandleId" : { | |
| "type" : "keyword" | |
| }, | |
| "IdleImplementation" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "IdleStateCount" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ImpersonationLevel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "IntegrityLevel" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "IpAddress" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "IpPort" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "IsBaseCRL" : { | |
| "type" : "keyword" | |
| }, | |
| "KeyContainer" : { | |
| "type" : "keyword" | |
| }, | |
| "KeyFilePath" : { | |
| "type" : "keyword" | |
| }, | |
| "KeyLength" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "KeyName" : { | |
| "type" : "keyword" | |
| }, | |
| "KeyType" : { | |
| "type" : "keyword" | |
| }, | |
| "LastBootGood" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "LastShutdownGood" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "LmPackageName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "LocationInformation" : { | |
| "type" : "keyword" | |
| }, | |
| "LogonGuid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "LogonID" : { | |
| "type" : "keyword" | |
| }, | |
| "LogonId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "LogonProcessName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "LogonType" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MajorVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MandatoryLabel" : { | |
| "type" : "keyword" | |
| }, | |
| "MaximumPerformancePercent" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MemberName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MemberSid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MinimumPerformancePercent" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MinimumThrottlePercent" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "MinorVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Minutes" : { | |
| "type" : "keyword" | |
| }, | |
| "NamingContext" : { | |
| "type" : "keyword" | |
| }, | |
| "NewProcessId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "NewProcessName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "NewSchemeGuid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "NewSd" : { | |
| "type" : "keyword" | |
| }, | |
| "NewTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "NextPublish" : { | |
| "type" : "keyword" | |
| }, | |
| "NominalFrequency" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Number" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ObjectName" : { | |
| "type" : "keyword" | |
| }, | |
| "ObjectServer" : { | |
| "type" : "keyword" | |
| }, | |
| "ObjectType" : { | |
| "type" : "keyword" | |
| }, | |
| "OldSchemeGuid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "OldSd" : { | |
| "type" : "keyword" | |
| }, | |
| "OldTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Operation" : { | |
| "type" : "keyword" | |
| }, | |
| "OperationType" : { | |
| "type" : "keyword" | |
| }, | |
| "Options" : { | |
| "type" : "keyword" | |
| }, | |
| "OriginalFileName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PackageName" : { | |
| "type" : "keyword" | |
| }, | |
| "ParentProcessId" : { | |
| "type" : "keyword" | |
| }, | |
| "ParentProcessName" : { | |
| "type" : "keyword" | |
| }, | |
| "Path" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PerformanceImplementation" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PolicyModuleDescription" : { | |
| "type" : "keyword" | |
| }, | |
| "PreAuthType" : { | |
| "type" : "keyword" | |
| }, | |
| "PreviousCreationUtcTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PreviousTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PrivilegeList" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ProcessCreationTime" : { | |
| "type" : "keyword" | |
| }, | |
| "ProcessID" : { | |
| "type" : "keyword" | |
| }, | |
| "ProcessId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ProcessName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ProcessPath" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ProcessPid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Product" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ProfileChanged" : { | |
| "type" : "keyword" | |
| }, | |
| "Properties" : { | |
| "type" : "keyword" | |
| }, | |
| "ProviderName" : { | |
| "type" : "keyword" | |
| }, | |
| "PuaCount" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PuaPolicyId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "PublishURLs" : { | |
| "type" : "keyword" | |
| }, | |
| "QfeVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ReadOperation" : { | |
| "type" : "keyword" | |
| }, | |
| "Reason" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "RequestId" : { | |
| "type" : "keyword" | |
| }, | |
| "Requester" : { | |
| "type" : "keyword" | |
| }, | |
| "RestrictedAdminMode" : { | |
| "type" : "keyword" | |
| }, | |
| "ReturnCode" : { | |
| "type" : "keyword" | |
| }, | |
| "RpcCallClientLocality" : { | |
| "type" : "keyword" | |
| }, | |
| "RuleId" : { | |
| "type" : "keyword" | |
| }, | |
| "RuleName" : { | |
| "type" : "keyword" | |
| }, | |
| "SchemaVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ScriptBlockText" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SecurityDescriptor" : { | |
| "type" : "keyword" | |
| }, | |
| "Service" : { | |
| "type" : "keyword" | |
| }, | |
| "ServiceAccount" : { | |
| "type" : "keyword" | |
| }, | |
| "ServiceFileName" : { | |
| "type" : "keyword" | |
| }, | |
| "ServiceName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ServiceSid" : { | |
| "type" : "keyword" | |
| }, | |
| "ServiceStartType" : { | |
| "type" : "keyword" | |
| }, | |
| "ServiceType" : { | |
| "type" : "keyword" | |
| }, | |
| "ServiceVersion" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SessionID" : { | |
| "type" : "keyword" | |
| }, | |
| "SessionId" : { | |
| "type" : "keyword" | |
| }, | |
| "SessionName" : { | |
| "type" : "keyword" | |
| }, | |
| "ShareLocalPath" : { | |
| "type" : "keyword" | |
| }, | |
| "ShareName" : { | |
| "type" : "keyword" | |
| }, | |
| "ShutdownActionType" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ShutdownEventCode" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "ShutdownReason" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Signature" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SignatureStatus" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Signed" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SourceDRA" : { | |
| "type" : "keyword" | |
| }, | |
| "StartTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "StartUSN" : { | |
| "type" : "keyword" | |
| }, | |
| "State" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Status" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "StatusCode" : { | |
| "type" : "keyword" | |
| }, | |
| "StopTime" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Subject" : { | |
| "type" : "keyword" | |
| }, | |
| "SubjectDomainName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SubjectKeyIdentifier" : { | |
| "type" : "keyword" | |
| }, | |
| "SubjectLogonId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SubjectUserName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "SubjectUserSid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TSId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetDomainName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetInfo" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetLinkedLogonId" : { | |
| "type" : "keyword" | |
| }, | |
| "TargetLogonGuid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetLogonId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetName" : { | |
| "type" : "keyword" | |
| }, | |
| "TargetOutboundDomainName" : { | |
| "type" : "keyword" | |
| }, | |
| "TargetOutboundUserName" : { | |
| "type" : "keyword" | |
| }, | |
| "TargetServerName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetSid" : { | |
| "type" : "keyword" | |
| }, | |
| "TargetUserName" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TargetUserSid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TaskContent" : { | |
| "type" : "keyword" | |
| }, | |
| "TaskContentNew" : { | |
| "type" : "keyword" | |
| }, | |
| "TaskName" : { | |
| "type" : "keyword" | |
| }, | |
| "TemplateContent" : { | |
| "type" : "keyword" | |
| }, | |
| "TemplateDSObjectFQDN" : { | |
| "type" : "keyword" | |
| }, | |
| "TemplateInternalName" : { | |
| "type" : "keyword" | |
| }, | |
| "TemplateOID" : { | |
| "type" : "keyword" | |
| }, | |
| "TemplateSchemaVersion" : { | |
| "type" : "keyword" | |
| }, | |
| "TemplateVersion" : { | |
| "type" : "keyword" | |
| }, | |
| "TerminalSessionId" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TicketEncryptionType" : { | |
| "type" : "keyword" | |
| }, | |
| "TicketOptions" : { | |
| "type" : "keyword" | |
| }, | |
| "TimeRemainingToSetLocalClockFreeRunningSeconds" : { | |
| "type" : "keyword" | |
| }, | |
| "TokenElevationType" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "TransmittedServices" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "Type" : { | |
| "type" : "keyword" | |
| }, | |
| "UnsynchronizedTimeSeconds" : { | |
| "type" : "keyword" | |
| }, | |
| "UserSid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "VendorIds" : { | |
| "type" : "keyword" | |
| }, | |
| "Version" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "VirtualAccount" : { | |
| "type" : "keyword" | |
| }, | |
| "WarningMessage" : { | |
| "type" : "keyword" | |
| }, | |
| "Workstation" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "WorkstationName" : { | |
| "type" : "keyword" | |
| }, | |
| "param1" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param10" : { | |
| "type" : "keyword" | |
| }, | |
| "param11" : { | |
| "type" : "keyword" | |
| }, | |
| "param12" : { | |
| "type" : "keyword" | |
| }, | |
| "param13" : { | |
| "type" : "keyword" | |
| }, | |
| "param16" : { | |
| "type" : "keyword" | |
| }, | |
| "param17" : { | |
| "type" : "keyword" | |
| }, | |
| "param19" : { | |
| "type" : "keyword" | |
| }, | |
| "param2" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param20" : { | |
| "type" : "keyword" | |
| }, | |
| "param21" : { | |
| "type" : "keyword" | |
| }, | |
| "param23" : { | |
| "type" : "keyword" | |
| }, | |
| "param3" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param4" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param5" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param6" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param7" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param8" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "param9" : { | |
| "type" : "keyword" | |
| } | |
| } | |
| }, | |
| "event_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "keywords" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "opcode" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "process" : { | |
| "properties" : { | |
| "pid" : { | |
| "type" : "long" | |
| }, | |
| "thread" : { | |
| "properties" : { | |
| "id" : { | |
| "type" : "long" | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "provider_guid" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "provider_name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "record_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "related_activity_id" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "task" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "user" : { | |
| "properties" : { | |
| "domain" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "identifier" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "name" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| }, | |
| "type" : { | |
| "type" : "keyword", | |
| "ignore_above" : 1024 | |
| } | |
| } | |
| }, | |
| "user_data" : { | |
| "type" : "object" | |
| }, | |
| "version" : { | |
| "type" : "long" | |
| } | |
| } | |
| }, | |
| "winlog-channel" : { | |
| "type" : "alias", | |
| "path" : "winlog.channel" | |
| }, | |
| "winlog-computerObject-name" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.ObjectName" | |
| }, | |
| "winlog-computer_name" : { | |
| "type" : "alias", | |
| "path" : "winlog.computer_name" | |
| }, | |
| "winlog-event_data-AuthenticationPackageName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.AuthenticationPackageName" | |
| }, | |
| "winlog-event_data-Company" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Company" | |
| }, | |
| "winlog-event_data-Description" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Description" | |
| }, | |
| "winlog-event_data-Detail" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Detail" | |
| }, | |
| "winlog-event_data-DeviceName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.DeviceName" | |
| }, | |
| "winlog-event_data-FileVersion" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.FileVersion" | |
| }, | |
| "winlog-event_data-IntegrityLevel" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.IntegrityLevel" | |
| }, | |
| "winlog-event_data-IpAddress" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.IpAddress" | |
| }, | |
| "winlog-event_data-KeyLength" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.KeyLength" | |
| }, | |
| "winlog-event_data-LogonId" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.LogonId" | |
| }, | |
| "winlog-event_data-LogonProcessName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.LogonProcessName" | |
| }, | |
| "winlog-event_data-LogonType" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.LogonType" | |
| }, | |
| "winlog-event_data-OriginalFileName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.OriginalFileName" | |
| }, | |
| "winlog-event_data-Path" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Path" | |
| }, | |
| "winlog-event_data-PrivilegeList" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.PrivilegeList" | |
| }, | |
| "winlog-event_data-ProcessId" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.ProcessId" | |
| }, | |
| "winlog-event_data-ProcessName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.ProcessName" | |
| }, | |
| "winlog-event_data-ProcessPath" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.ProcessPath" | |
| }, | |
| "winlog-event_data-Product" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Product" | |
| }, | |
| "winlog-event_data-ScriptBlockText" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.ScriptBlockText" | |
| }, | |
| "winlog-event_data-ServiceName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.ServiceName" | |
| }, | |
| "winlog-event_data-Signed" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Signed" | |
| }, | |
| "winlog-event_data-State" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.State" | |
| }, | |
| "winlog-event_data-Status" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Status" | |
| }, | |
| "winlog-event_data-SubjectDomainName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.SubjectDomainName" | |
| }, | |
| "winlog-event_data-SubjectLogonId" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.SubjectLogonId" | |
| }, | |
| "winlog-event_data-SubjectUserName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.SubjectUserName" | |
| }, | |
| "winlog-event_data-SubjectUserSid" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.SubjectUserSid" | |
| }, | |
| "winlog-event_data-TargetLogonId" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.TargetLogonId" | |
| }, | |
| "winlog-event_data-TargetServerName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.TargetServerName" | |
| }, | |
| "winlog-event_data-TargetUserName" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.TargetUserName" | |
| }, | |
| "winlog-event_data-TargetUserSid" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.TargetUserSid" | |
| }, | |
| "winlog-event_data-Workstation" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.Workstation" | |
| }, | |
| "winlog-event_data-param1" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.param1" | |
| }, | |
| "winlog-event_data-param2" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_data.param2" | |
| }, | |
| "winlog-event_id" : { | |
| "type" : "alias", | |
| "path" : "winlog.event_id" | |
| }, | |
| "winlog-keywords" : { | |
| "type" : "alias", | |
| "path" : "winlog.keywords" | |
| }, | |
| "winlog-provider_name" : { | |
| "type" : "alias", | |
| "path" : "winlog.provider_name" | |
| }, | |
| "winlog-task" : { | |
| "type" : "alias", | |
| "path" : "winlog.task" | |
| }, | |
| "winlog-user-name" : { | |
| "type" : "alias", | |
| "path" : "winlog.user.name" | |
| }, | |
| "winlog-user-type" : { | |
| "type" : "alias", | |
| "path" : "winlog.user.type" | |
| } | |
| } | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment