Skip to content

Instantly share code, notes, and snippets.

@zorteran

zorteran/threatintel-cert_pl.json

Created February 13, 2022 17:22
Show Gist options
  • Save zorteran/a6a52b5562ce51bfedc375fb4ed04f24 to your computer and use it in GitHub Desktop.
Save zorteran/a6a52b5562ce51bfedc375fb4ed04f24 to your computer and use it in GitHub Desktop.
Download ZIP
CERT Polska Elasticsearch index template
Raw
threatintel-cert_pl.json
//PUT _index_template/threatintel-cert_pl
{
"index_patterns": [
"threatintel-cert_pl-*"
],
"template": {
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "10000"
}
},
"refresh_interval": "5s",
"number_of_shards": "1",
"max_docvalue_fields_search": "200"
}
},
"mappings": {
"_meta": {
"beat": "filebeat",
"version": "8.0.0"
},
"dynamic_templates": [
{
"labels": {
"path_match": "labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"container.labels": {
"path_match": "container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"fields": {
"path_match": "fields.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"docker.container.labels": {
"path_match": "docker.container.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"kubernetes.labels.*": {
"path_match": "kubernetes.labels.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"kubernetes.annotations.*": {
"path_match": "kubernetes.annotations.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"kubernetes.selectors.*": {
"path_match": "kubernetes.selectors.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"docker.attrs": {
"path_match": "docker.attrs.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"azure.activitylogs.identity.claims.*": {
"path_match": "azure.activitylogs.identity.claims.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "*"
}
},
{
"kibana.log.meta": {
"path_match": "kibana.log.meta.*",
"mapping": {
"type": "keyword"
},
"match_mapping_type": "string"
}
},
{
"strings_as_keyword": {
"mapping": {
"ignore_above": 1024,
"type": "keyword"
},
"match_mapping_type": "string"
}
}
],
"date_detection": false,
"properties": {
"input": {
"type": "object",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"logstash": {
"type": "object",
"properties": {
"log": {
"type": "object",
"properties": {
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"pipeline_id": {
"ignore_above": 1024,
"type": "keyword"
},
"log_event": {
"type": "object",
"properties": {
"action": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"thread": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
}
}
},
"slowlog": {
"type": "object",
"properties": {
"took_in_millis": {
"type": "long"
},
"plugin_params": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_type": {
"ignore_above": 1024,
"type": "keyword"
},
"plugin_params_object": {
"type": "object"
},
"thread": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"event": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"norms": false,
"type": "text"
}
}
},
"plugin_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"metadata": {
"type": "flattened"
},
"@timestamp": {
"type": "date"
},
"ecs": {
"type": "object",
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"related": {
"type": "object",
"properties": {
"hosts": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"threat": {
"type": "object",
"properties": {
"indicator": {
"type": "object",
"properties": {
"registry": {
"type": "object",
"properties": {
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"type": "object",
"properties": {
"strings": {
"ignore_above": 1024,
"type": "wildcard"
},
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"value": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"first_seen": {
"type": "date"
},
"last_seen": {
"type": "date"
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"sightings": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"type": "object",
"properties": {
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "wildcard"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "wildcard"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "wildcard"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scanner_stats": {
"type": "long"
},
"geo": {
"type": "object",
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"not_after": {
"type": "date"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"not_before": {
"type": "date"
},
"subject": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
},
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"file": {
"type": "object",
"properties": {
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"accessed": {
"type": "date"
},
"mtime": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"type": "object",
"properties": {
"valid": {
"type": "boolean"
},
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
}
}
},
"ctime": {
"type": "date"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"elf": {
"type": "object",
"properties": {
"imports": {
"type": "flattened"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"exports": {
"type": "flattened"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"header": {
"type": "object",
"properties": {
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"creation_date": {
"type": "date"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"virtual_address": {
"type": "long"
},
"entropy": {
"type": "long"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_size": {
"type": "long"
}
}
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"segments": {
"type": "nested",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sections": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"target_path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"x509": {
"type": "object",
"properties": {
"not_after": {
"type": "date"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"not_before": {
"type": "date"
},
"subject": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
},
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"size": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"type": "object",
"properties": {
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"marking": {
"type": "object",
"properties": {
"tlp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"port": {
"type": "long"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"modified_at": {
"type": "date"
},
"email": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"framework": {
"ignore_above": 1024,
"type": "keyword"
},
"software": {
"type": "object",
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"platforms": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"technique": {
"type": "object",
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"subtechnique": {
"type": "object",
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"enrichments": {
"type": "nested",
"properties": {
"indicator": {
"type": "object",
"properties": {
"registry": {
"type": "object",
"properties": {
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"type": "object",
"properties": {
"strings": {
"ignore_above": 1024,
"type": "wildcard"
},
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"value": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"first_seen": {
"type": "date"
},
"last_seen": {
"type": "date"
},
"confidence": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"sightings": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"url": {
"type": "object",
"properties": {
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"type": "wildcard"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "wildcard"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"type": "wildcard"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"scanner_stats": {
"type": "long"
},
"geo": {
"type": "object",
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"continent_code": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
},
"postal_code": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"x509": {
"type": "object",
"properties": {
"not_after": {
"type": "date"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"not_before": {
"type": "date"
},
"subject": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
},
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"as": {
"type": "object",
"properties": {
"number": {
"type": "long"
},
"organization": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
}
}
}
}
},
"file": {
"type": "object",
"properties": {
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"accessed": {
"type": "date"
},
"mtime": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"code_signature": {
"type": "object",
"properties": {
"valid": {
"type": "boolean"
},
"digest_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"signing_id": {
"ignore_above": 1024,
"type": "keyword"
},
"trusted": {
"type": "boolean"
},
"subject_name": {
"ignore_above": 1024,
"type": "keyword"
},
"exists": {
"type": "boolean"
},
"team_id": {
"ignore_above": 1024,
"type": "keyword"
},
"status": {
"ignore_above": 1024,
"type": "keyword"
},
"timestamp": {
"type": "date"
}
}
},
"ctime": {
"type": "date"
},
"fork_name": {
"ignore_above": 1024,
"type": "keyword"
},
"elf": {
"type": "object",
"properties": {
"imports": {
"type": "flattened"
},
"shared_libraries": {
"ignore_above": 1024,
"type": "keyword"
},
"byte_order": {
"ignore_above": 1024,
"type": "keyword"
},
"exports": {
"type": "flattened"
},
"cpu_type": {
"ignore_above": 1024,
"type": "keyword"
},
"header": {
"type": "object",
"properties": {
"object_version": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"entrypoint": {
"type": "long"
},
"os_abi": {
"ignore_above": 1024,
"type": "keyword"
},
"abi_version": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"creation_date": {
"type": "date"
},
"sections": {
"type": "nested",
"properties": {
"chi2": {
"type": "long"
},
"virtual_address": {
"type": "long"
},
"entropy": {
"type": "long"
},
"physical_offset": {
"ignore_above": 1024,
"type": "keyword"
},
"flags": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"physical_size": {
"type": "long"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"virtual_size": {
"type": "long"
}
}
},
"telfhash": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"segments": {
"type": "nested",
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"sections": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group": {
"ignore_above": 1024,
"type": "keyword"
},
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"created": {
"type": "date"
},
"target_path": {
"ignore_above": 1024,
"type": "keyword",
"fields": {
"text": {
"type": "match_only_text"
}
}
},
"x509": {
"type": "object",
"properties": {
"not_after": {
"type": "date"
},
"public_key_exponent": {
"index": false,
"type": "long",
"doc_values": false
},
"not_before": {
"type": "date"
},
"subject": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"public_key_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_curve": {
"ignore_above": 1024,
"type": "keyword"
},
"signature_algorithm": {
"ignore_above": 1024,
"type": "keyword"
},
"public_key_size": {
"type": "long"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"version_number": {
"ignore_above": 1024,
"type": "keyword"
},
"alternative_names": {
"ignore_above": 1024,
"type": "keyword"
},
"issuer": {
"type": "object",
"properties": {
"country": {
"ignore_above": 1024,
"type": "keyword"
},
"state_or_province": {
"ignore_above": 1024,
"type": "keyword"
},
"organization": {
"ignore_above": 1024,
"type": "keyword"
},
"distinguished_name": {
"ignore_above": 1024,
"type": "keyword"
},
"locality": {
"ignore_above": 1024,
"type": "keyword"
},
"common_name": {
"ignore_above": 1024,
"type": "keyword"
},
"organizational_unit": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"size": {
"type": "long"
},
"mime_type": {
"ignore_above": 1024,
"type": "keyword"
},
"pe": {
"type": "object",
"properties": {
"file_version": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"imphash": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"company": {
"ignore_above": 1024,
"type": "keyword"
},
"original_file_name": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"type": "object",
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"ssdeep": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"marking": {
"type": "object",
"properties": {
"tlp": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"port": {
"type": "long"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"modified_at": {
"type": "date"
},
"email": {
"type": "object",
"properties": {
"address": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"matched": {
"type": "object",
"properties": {
"field": {
"ignore_above": 1024,
"type": "keyword"
},
"atomic": {
"ignore_above": 1024,
"type": "keyword"
},
"index": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"group": {
"type": "object",
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"alias": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tactic": {
"type": "object",
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"event": {
"type": "object",
"properties": {
"reason": {
"ignore_above": 1024,
"type": "keyword"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"agent_id_status": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"end": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"type": "long"
},
"original": {
"ignore_above": 1024,
"index": false,
"type": "keyword",
"doc_values": false
},
"risk_score": {
"type": "float"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"start": {
"type": "date"
},
"url": {
"ignore_above": 1024,
"type": "keyword"
},
"sequence": {
"type": "long"
},
"risk_score_norm": {
"type": "float"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fileset": {
"type": "object",
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"fields": {
"type": "object"
},
"error": {
"type": "object",
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"stack_trace": {
"ignore_above": 1024,
"type": "wildcard"
},
"message": {
"type": "match_only_text"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"aliases": {
"filebeat-threatintel-cert_pl": {}
}
},
"composed_of": [],
"priority": 150
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment