From 9a9402a9c9fa02ed179276c74f7f0d73020dc07f Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Wed, 10 Mar 2021 16:55:45 +0100 Subject: [PATCH 1/9] updates the data used in the test --- .../security_solution/cypress/objects/rule.ts | 6 +- .../es_archives/threat_data/data.json | 13 + .../es_archives/threat_data/data.json.gz | Bin 1086 -> 0 bytes .../es_archives/threat_data/mappings.json | 3552 +-- .../es_archives/threat_indicator/data.json | 71 +- .../threat_indicator/mappings.json | 25027 +++++++++++++++- 6 files changed, 25107 insertions(+), 3562 deletions(-) create mode 100644 x-pack/test/security_solution_cypress/es_archives/threat_data/data.json delete mode 100644 x-pack/test/security_solution_cypress/es_archives/threat_data/data.json.gz diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index 88dcd998fc06d..ad19eca231634 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -309,9 +309,9 @@ export const newThreatIndicatorRule: ThreatIndicatorRule = { note: '# test markdown', runsEvery, lookBack, - indicatorIndexPattern: ['threat-indicator-*'], - indicatorMapping: 'agent.id', - indicatorIndexField: 'agent.threat', + indicatorIndexPattern: ['filebeat-*'], + indicatorMapping: 'myhash.mysha256', + indicatorIndexField: 'threatintel.indicator.file.hash.sha256', timeline, maxSignals: 100, }; diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json new file mode 100644 index 0000000000000..75c4fe3811376 --- /dev/null +++ b/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json @@ -0,0 +1,13 @@ +{ + "type": "doc", + "value": { + "id": "_eZE7mwBOpWiDweStB_c", + "index": "threat-data-001", + "source": { + "@timestamp": "2021-02-22T21:00:49.337Z", + "myhash": { + "mysha256": "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3" + } + } + } +} diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json.gz b/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json.gz deleted file mode 100644 index ab63f9a47a7baa9e6ea0e830f55ec8c5e48df4c9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmV-E1i||siwFpR@w;CD17u-zVJ>QOZ*Bm+R!eW&I1s+)R|GzFfyyCeJq;|d2+~8b zD0*lX1+rKe6g9HBmPmo5?6^h#`;xNkkdlISFAah?o;PQ{`N;1#x3>#@YGJXyU6g_@ z-dn+e)SZ=lH($(GR$A=_o<5|_@&0rBl|3Bci@x8S&8-D5;n^DLodlwTl4uejgfDs} zI!Rw68p$7;HJ~(UTI&`foCnDK;zxwm5niKYiE#Qf_#1n&1+JX{Mg;8+8jz&koC{2F zM#DUTAdagvh;o90EJJC4(yTNJicpze0~-IGP@0pbKf3B9qqb-!j>I)Ohej((3q&EP zl9&cjnC1aVY{_wj%eW{ILWS#f=_u(+rVG;%S9t)bnBZ2QEzuG!2Gz^;u(W2A(-tQU z%7`N5R@ZkAqa_Y)s1Un(T0-}rtq*pkLfXiyEQ+$3#G)(xyyQSwO$t^secF5zygyf` z0%|HWy~lyyE^cPZy-_=D%u^mqu6maX7l5?TD&-!8bWuBPZC`^&v9TY zDTyqDa6UpS#lJxHe5p_qr5OzrgXT^511mvV>n&}kQ!EX>87KNY>zPr8GowuMWf(`x z;q#}*nW0H~pvq6{;0`bG9PZ#SfgPbk{RY7(9<*>xA(yr0(iaMfBKUb=@<4jd`u7cll-u| zzf+$-Ztp(+?(I2~a3vJc=|Xg7WoJn)bgxrMxEh#lp}lrp37@rxXu2GRq$wyh-jA&s z1Lm$%@~&X~u083U;48nYSM64aZ4Dc9PtyHH?cum72{h(Bv+$z!F$4~OWkHxf;>1wP zI$jxqM;?E{Gtf?x;!IWJik9gdCyWa6df87W4dY2y6v#t=asBd3$!2Dw=fQP^136Ef z#;?a;^&A=s^1)-DbYoH&ZZuzNC%WxtfZmV9-K==tm~m}b!@P36`x`BNh+fHMV{6%v zvXp1sFVJ&kezGb`qGXjog3#D;sKyb#+>HNwZAz!c(D~Ub>*n(J<>uw)KU(UR5_${( E0C|!QdjJ3c diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json index 3ccdee6bdb5eb..01f8e6cf44e5e 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json @@ -12,3566 +12,18 @@ }, "index": "threat-data-001", "mappings": { - "_meta": { - "beat": "auditbeat", - "version": "8.0.0" - }, - "date_detection": false, - "dynamic_templates": [ - { - "labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "labels.*" - } - }, - { - "container.labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "container.labels.*" - } - }, - { - "fields": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "fields.*" - } - }, - { - "docker.container.labels": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string", - "path_match": "docker.container.labels.*" - } - }, - { - "strings_as_keyword": { - "mapping": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], "properties": { "@timestamp": { "type": "date" }, - "agent": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "auditd": { - "properties": { - "data": { - "properties": { - "a0": { - "ignore_above": 1024, - "type": "keyword" - }, - "a1": { - "ignore_above": 1024, - "type": "keyword" - }, - "a2": { - "ignore_above": 1024, - "type": "keyword" - }, - "a3": { - "ignore_above": 1024, - "type": "keyword" - }, - "a[0-3]": { - "ignore_above": 1024, - "type": "keyword" - }, - "acct": { - "ignore_above": 1024, - "type": "keyword" - }, - "acl": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "added": { - "ignore_above": 1024, - "type": "keyword" - }, - "addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "apparmor": { - "ignore_above": 1024, - "type": "keyword" - }, - "arch": { - "ignore_above": 1024, - "type": "keyword" - }, - "argc": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_backlog_limit": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_backlog_wait_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_failure": { - "ignore_above": 1024, - "type": "keyword" - }, - "banners": { - "ignore_above": 1024, - "type": "keyword" - }, - "bool": { - "ignore_above": 1024, - "type": "keyword" - }, - "bus": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fe": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fi": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fp": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fver": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_pe": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_pi": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_pp": { - "ignore_above": 1024, - "type": "keyword" - }, - "capability": { - "ignore_above": 1024, - "type": "keyword" - }, - "cgroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed": { - "ignore_above": 1024, - "type": "keyword" - }, - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "compat": { - "ignore_above": 1024, - "type": "keyword" - }, - "daddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "default-context": { - "ignore_above": 1024, - "type": "keyword" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "dir": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "dmac": { - "ignore_above": 1024, - "type": "keyword" - }, - "dport": { - "ignore_above": 1024, - "type": "keyword" - }, - "enforcing": { - "ignore_above": 1024, - "type": "keyword" - }, - "entries": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit": { - "ignore_above": 1024, - "type": "keyword" - }, - "fam": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "fd": { - "ignore_above": 1024, - "type": "keyword" - }, - "fe": { - "ignore_above": 1024, - "type": "keyword" - }, - "feature": { - "ignore_above": 1024, - "type": "keyword" - }, - "fi": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "format": { - "ignore_above": 1024, - "type": "keyword" - }, - "fp": { - "ignore_above": 1024, - "type": "keyword" - }, - "fver": { - "ignore_above": 1024, - "type": "keyword" - }, - "grantors": { - "ignore_above": 1024, - "type": "keyword" - }, - "grp": { - "ignore_above": 1024, - "type": "keyword" - }, - "hook": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "igid": { - "ignore_above": 1024, - "type": "keyword" - }, - "img-ctx": { - "ignore_above": 1024, - "type": "keyword" - }, - "info": { - "ignore_above": 1024, - "type": "keyword" - }, - "inif": { - "ignore_above": 1024, - "type": "keyword" - }, - "ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode_gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "invalid_context": { - "ignore_above": 1024, - "type": "keyword" - }, - "ioctlcmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipx-net": { - "ignore_above": 1024, - "type": "keyword" - }, - "items": { - "ignore_above": 1024, - "type": "keyword" - }, - "iuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "ksize": { - "ignore_above": 1024, - "type": "keyword" - }, - "laddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "len": { - "ignore_above": 1024, - "type": "keyword" - }, - "list": { - "ignore_above": 1024, - "type": "keyword" - }, - "lport": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "macproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "maj": { - "ignore_above": 1024, - "type": "keyword" - }, - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nargs": { - "ignore_above": 1024, - "type": "keyword" - }, - "net": { - "ignore_above": 1024, - "type": "keyword" - }, - "new": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-chardev": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-disk": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-fs": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-level": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-log_passwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-mem": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-net": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-range": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-rng": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-role": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-seuser": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-vcpu": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_lock": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_pe": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_pi": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_pp": { - "ignore_above": 1024, - "type": "keyword" - }, - "nlnk-fam": { - "ignore_above": 1024, - "type": "keyword" - }, - "nlnk-grp": { - "ignore_above": 1024, - "type": "keyword" - }, - "nlnk-pid": { - "ignore_above": 1024, - "type": "keyword" - }, - "oauid": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocomm": { - "ignore_above": 1024, - "type": "keyword" - }, - "oflag": { - "ignore_above": 1024, - "type": "keyword" - }, - "old": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-chardev": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-disk": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-fs": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-level": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-log_passwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-mem": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-net": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-range": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-rng": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-role": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-seuser": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-vcpu": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_enforcing": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_lock": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pa": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pe": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pi": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pp": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_prom": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_val": { - "ignore_above": 1024, - "type": "keyword" - }, - "op": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "opid": { - "ignore_above": 1024, - "type": "keyword" - }, - "oses": { - "ignore_above": 1024, - "type": "keyword" - }, - "outif": { - "ignore_above": 1024, - "type": "keyword" - }, - "pa": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "ignore_above": 1024, - "type": "keyword" - }, - "per": { - "ignore_above": 1024, - "type": "keyword" - }, - "perm": { - "ignore_above": 1024, - "type": "keyword" - }, - "perm_mask": { - "ignore_above": 1024, - "type": "keyword" - }, - "permissive": { - "ignore_above": 1024, - "type": "keyword" - }, - "pfs": { - "ignore_above": 1024, - "type": "keyword" - }, - "pi": { - "ignore_above": 1024, - "type": "keyword" - }, - "pp": { - "ignore_above": 1024, - "type": "keyword" - }, - "printer": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "prom": { - "ignore_above": 1024, - "type": "keyword" - }, - "proto": { - "ignore_above": 1024, - "type": "keyword" - }, - "qbytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "range": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "removed": { - "ignore_above": 1024, - "type": "keyword" - }, - "res": { - "ignore_above": 1024, - "type": "keyword" - }, - "resrc": { - "ignore_above": 1024, - "type": "keyword" - }, - "rport": { - "ignore_above": 1024, - "type": "keyword" - }, - "sauid": { - "ignore_above": 1024, - "type": "keyword" - }, - "scontext": { - "ignore_above": 1024, - "type": "keyword" - }, - "selected-context": { - "ignore_above": 1024, - "type": "keyword" - }, - "seperm": { - "ignore_above": 1024, - "type": "keyword" - }, - "seperms": { - "ignore_above": 1024, - "type": "keyword" - }, - "seqno": { - "ignore_above": 1024, - "type": "keyword" - }, - "seresult": { - "ignore_above": 1024, - "type": "keyword" - }, - "ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "seuser": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig": { - "ignore_above": 1024, - "type": "keyword" - }, - "sigev_signo": { - "ignore_above": 1024, - "type": "keyword" - }, - "smac": { - "ignore_above": 1024, - "type": "keyword" - }, - "socket": { - "properties": { - "addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "ignore_above": 1024, - "type": "keyword" - }, - "saddr": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "spid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sport": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "subj": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "ignore_above": 1024, - "type": "keyword" - }, - "syscall": { - "ignore_above": 1024, - "type": "keyword" - }, - "table": { - "ignore_above": 1024, - "type": "keyword" - }, - "tclass": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcontext": { - "ignore_above": 1024, - "type": "keyword" - }, - "terminal": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "val": { - "ignore_above": 1024, - "type": "keyword" - }, - "ver": { - "ignore_above": 1024, - "type": "keyword" - }, - "virt": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm-ctx": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm-pid": { - "ignore_above": 1024, - "type": "keyword" - }, - "watch": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "paths": { - "properties": { - "cap_fe": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fi": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fp": { - "ignore_above": 1024, - "type": "keyword" - }, - "cap_fver": { - "ignore_above": 1024, - "type": "keyword" - }, - "dev": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "item": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nametype": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "objtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "ogid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ouid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdev": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "session": { - "ignore_above": 1024, - "type": "keyword" - }, - "summary": { - "properties": { - "actor": { - "properties": { - "primary": { - "ignore_above": 1024, - "type": "keyword" - }, - "secondary": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "how": { - "ignore_above": 1024, - "type": "keyword" - }, - "object": { - "properties": { - "primary": { - "ignore_above": 1024, - "type": "keyword" - }, - "secondary": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "client": { + "myhash": { "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "user": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "user": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "docker": { - "properties": { - "container": { - "properties": { - "labels": { - "type": "object" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fields": { - "type": "object" - }, - "file": { - "properties": { - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "origin": { - "fields": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "selinux": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "setgid": { - "type": "boolean" - }, - "setuid": { - "type": "boolean" - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flow": { - "properties": { - "complete": { - "type": "boolean" - }, - "final": { - "type": "boolean" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geoip": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "blake2b_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "blake2b_512": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha3_512": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_224": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512_256": { - "ignore_above": 1024, - "type": "keyword" - }, - "xxh64": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "containerized": { - "type": "boolean" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "jolokia": { - "properties": { - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "secured": { - "type": "boolean" - }, - "server": { - "properties": { - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kubernetes": { - "properties": { - "annotations": { - "type": "object" - }, - "container": { - "properties": { - "image": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "deployment": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pod": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "replicaset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "statefulset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "observer": { - "properties": { - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "user": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "socket": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "user": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "system": { - "properties": { - "audit": { - "properties": { - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boottime": { - "type": "date" - }, - "containerized": { - "type": "boolean" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "timezone": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "properties": { - "sec": { - "type": "long" - } - } - } - } - }, - "uptime": { - "type": "long" - } - } - }, - "newsocket": { - "properties": { - "egid": { - "type": "long" - }, - "euid": { - "type": "long" - }, - "gid": { - "type": "long" - }, - "internal_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel_sock_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "type": "long" - } - } - }, - "package": { - "properties": { - "arch": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "installtime": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "release": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "summary": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "socket": { - "properties": { - "egid": { - "type": "long" - }, - "euid": { - "type": "long" - }, - "gid": { - "type": "long" - }, - "internal_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel_sock_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "type": "long" - } - } - }, - "user": { - "properties": { - "dir": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "properties": { - "last_changed": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "shell": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_information": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "audit": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "effective": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "filesystem": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "name_map": { - "type": "object" - }, - "saved": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "selinux": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "terminal": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, + "mysha256": { "type": "keyword" } } } } - }, - "settings": { - "index": { - "lifecycle": { - "indexing_complete": "true", - "name": "auditbeat-8.0.0", - "rollover_alias": "auditbeat-8.0.0" - }, - "mapping": { - "total_fields": { - "limit": "10000" - } - }, - "number_of_replicas": "0", - "number_of_shards": "1", - "query": { - "default_field": [ - "message", - "tags", - "agent.ephemeral_id", - "agent.id", - "agent.name", - "agent.type", - "agent.version", - "client.address", - "client.domain", - "client.geo.city_name", - "client.geo.continent_name", - "client.geo.country_iso_code", - "client.geo.country_name", - "client.geo.name", - "client.geo.region_iso_code", - "client.geo.region_name", - "client.mac", - "client.user.email", - "client.user.full_name", - "client.user.group.id", - "client.user.group.name", - "client.user.hash", - "client.user.id", - "client.user.name", - "cloud.account.id", - "cloud.availability_zone", - "cloud.instance.id", - "cloud.instance.name", - "cloud.machine.type", - "cloud.provider", - "cloud.region", - "container.id", - "container.image.name", - "container.image.tag", - "container.name", - "container.runtime", - "destination.address", - "destination.domain", - "destination.geo.city_name", - "destination.geo.continent_name", - "destination.geo.country_iso_code", - "destination.geo.country_name", - "destination.geo.name", - "destination.geo.region_iso_code", - "destination.geo.region_name", - "destination.mac", - "destination.user.email", - "destination.user.full_name", - "destination.user.group.id", - "destination.user.group.name", - "destination.user.hash", - "destination.user.id", - "destination.user.name", - "ecs.version", - "error.code", - "error.id", - "error.message", - "event.action", - "event.category", - "event.dataset", - "event.hash", - "event.id", - "event.kind", - "event.module", - "event.original", - "event.outcome", - "event.timezone", - "event.type", - "file.device", - "file.extension", - "file.gid", - "file.group", - "file.inode", - "file.mode", - "file.owner", - "file.path", - "file.target_path", - "file.type", - "file.uid", - "geo.city_name", - "geo.continent_name", - "geo.country_iso_code", - "geo.country_name", - "geo.name", - "geo.region_iso_code", - "geo.region_name", - "group.id", - "group.name", - "host.architecture", - "host.geo.city_name", - "host.geo.continent_name", - "host.geo.country_iso_code", - "host.geo.country_name", - "host.geo.name", - "host.geo.region_iso_code", - "host.geo.region_name", - "host.hostname", - "host.id", - "host.mac", - "host.name", - "host.os.family", - "host.os.full", - "host.os.kernel", - "host.os.name", - "host.os.platform", - "host.os.version", - "host.type", - "host.user.email", - "host.user.full_name", - "host.user.group.id", - "host.user.group.name", - "host.user.hash", - "host.user.id", - "host.user.name", - "http.request.body.content", - "http.request.method", - "http.request.referrer", - "http.response.body.content", - "http.version", - "log.level", - "log.original", - "network.application", - "network.community_id", - "network.direction", - "network.iana_number", - "network.name", - "network.protocol", - "network.transport", - "network.type", - "observer.geo.city_name", - "observer.geo.continent_name", - "observer.geo.country_iso_code", - "observer.geo.country_name", - "observer.geo.name", - "observer.geo.region_iso_code", - "observer.geo.region_name", - "observer.hostname", - "observer.mac", - "observer.os.family", - "observer.os.full", - "observer.os.kernel", - "observer.os.name", - "observer.os.platform", - "observer.os.version", - "observer.serial_number", - "observer.type", - "observer.vendor", - "observer.version", - "organization.id", - "organization.name", - "os.family", - "os.full", - "os.kernel", - "os.name", - "os.platform", - "os.version", - "process.args", - "process.executable", - "process.name", - "process.title", - "process.working_directory", - "server.address", - "server.domain", - "server.geo.city_name", - "server.geo.continent_name", - "server.geo.country_iso_code", - "server.geo.country_name", - "server.geo.name", - "server.geo.region_iso_code", - "server.geo.region_name", - "server.mac", - "server.user.email", - "server.user.full_name", - "server.user.group.id", - "server.user.group.name", - "server.user.hash", - "server.user.id", - "server.user.name", - "service.ephemeral_id", - "service.id", - "service.name", - "service.state", - "service.type", - "service.version", - "source.address", - "source.domain", - "source.geo.city_name", - "source.geo.continent_name", - "source.geo.country_iso_code", - "source.geo.country_name", - "source.geo.name", - "source.geo.region_iso_code", - "source.geo.region_name", - "source.mac", - "source.user.email", - "source.user.full_name", - "source.user.group.id", - "source.user.group.name", - "source.user.hash", - "source.user.id", - "source.user.name", - "url.domain", - "url.fragment", - "url.full", - "url.original", - "url.password", - "url.path", - "url.query", - "url.scheme", - "url.username", - "user.email", - "user.full_name", - "user.group.id", - "user.group.name", - "user.hash", - "user.id", - "user.name", - "user_agent.device.name", - "user_agent.name", - "user_agent.original", - "user_agent.os.family", - "user_agent.os.full", - "user_agent.os.kernel", - "user_agent.os.name", - "user_agent.os.platform", - "user_agent.os.version", - "user_agent.version", - "agent.hostname", - "error.type", - "cloud.project.id", - "host.os.build", - "kubernetes.pod.name", - "kubernetes.pod.uid", - "kubernetes.namespace", - "kubernetes.node.name", - "kubernetes.replicaset.name", - "kubernetes.deployment.name", - "kubernetes.statefulset.name", - "kubernetes.container.name", - "kubernetes.container.image", - "jolokia.agent.version", - "jolokia.agent.id", - "jolokia.server.product", - "jolokia.server.version", - "jolokia.server.vendor", - "jolokia.url", - "raw", - "file.origin", - "file.selinux.user", - "file.selinux.role", - "file.selinux.domain", - "file.selinux.level", - "user.audit.id", - "user.audit.name", - "user.effective.id", - "user.effective.name", - "user.effective.group.id", - "user.effective.group.name", - "user.filesystem.id", - "user.filesystem.name", - "user.filesystem.group.id", - "user.filesystem.group.name", - "user.saved.id", - "user.saved.name", - "user.saved.group.id", - "user.saved.group.name", - "user.selinux.user", - "user.selinux.role", - "user.selinux.domain", - "user.selinux.level", - "user.selinux.category", - "source.path", - "destination.path", - "auditd.message_type", - "auditd.session", - "auditd.result", - "auditd.summary.actor.primary", - "auditd.summary.actor.secondary", - "auditd.summary.object.type", - "auditd.summary.object.primary", - "auditd.summary.object.secondary", - "auditd.summary.how", - "auditd.paths.inode", - "auditd.paths.dev", - "auditd.paths.obj_user", - "auditd.paths.obj_role", - "auditd.paths.obj_domain", - "auditd.paths.obj_level", - "auditd.paths.objtype", - "auditd.paths.ouid", - "auditd.paths.rdev", - "auditd.paths.nametype", - "auditd.paths.ogid", - "auditd.paths.item", - "auditd.paths.mode", - "auditd.paths.name", - "auditd.data.action", - "auditd.data.minor", - "auditd.data.acct", - "auditd.data.addr", - "auditd.data.cipher", - "auditd.data.id", - "auditd.data.entries", - "auditd.data.kind", - "auditd.data.ksize", - "auditd.data.spid", - "auditd.data.arch", - "auditd.data.argc", - "auditd.data.major", - "auditd.data.unit", - "auditd.data.table", - "auditd.data.terminal", - "auditd.data.grantors", - "auditd.data.direction", - "auditd.data.op", - "auditd.data.tty", - "auditd.data.syscall", - "auditd.data.data", - "auditd.data.family", - "auditd.data.mac", - "auditd.data.pfs", - "auditd.data.items", - "auditd.data.a0", - "auditd.data.a1", - "auditd.data.a2", - "auditd.data.a3", - "auditd.data.hostname", - "auditd.data.lport", - "auditd.data.rport", - "auditd.data.exit", - "auditd.data.fp", - "auditd.data.laddr", - "auditd.data.sport", - "auditd.data.capability", - "auditd.data.nargs", - "auditd.data.new-enabled", - "auditd.data.audit_backlog_limit", - "auditd.data.dir", - "auditd.data.cap_pe", - "auditd.data.model", - "auditd.data.new_pp", - "auditd.data.old-enabled", - "auditd.data.oauid", - "auditd.data.old", - "auditd.data.banners", - "auditd.data.feature", - "auditd.data.vm-ctx", - "auditd.data.opid", - "auditd.data.seperms", - "auditd.data.seresult", - "auditd.data.new-rng", - "auditd.data.old-net", - "auditd.data.sigev_signo", - "auditd.data.ino", - "auditd.data.old_enforcing", - "auditd.data.old-vcpu", - "auditd.data.range", - "auditd.data.res", - "auditd.data.added", - "auditd.data.fam", - "auditd.data.nlnk-pid", - "auditd.data.subj", - "auditd.data.a[0-3]", - "auditd.data.cgroup", - "auditd.data.kernel", - "auditd.data.ocomm", - "auditd.data.new-net", - "auditd.data.permissive", - "auditd.data.class", - "auditd.data.compat", - "auditd.data.fi", - "auditd.data.changed", - "auditd.data.msg", - "auditd.data.dport", - "auditd.data.new-seuser", - "auditd.data.invalid_context", - "auditd.data.dmac", - "auditd.data.ipx-net", - "auditd.data.iuid", - "auditd.data.macproto", - "auditd.data.obj", - "auditd.data.ipid", - "auditd.data.new-fs", - "auditd.data.vm-pid", - "auditd.data.cap_pi", - "auditd.data.old-auid", - "auditd.data.oses", - "auditd.data.fd", - "auditd.data.igid", - "auditd.data.new-disk", - "auditd.data.parent", - "auditd.data.len", - "auditd.data.oflag", - "auditd.data.uuid", - "auditd.data.code", - "auditd.data.nlnk-grp", - "auditd.data.cap_fp", - "auditd.data.new-mem", - "auditd.data.seperm", - "auditd.data.enforcing", - "auditd.data.new-chardev", - "auditd.data.old-rng", - "auditd.data.outif", - "auditd.data.cmd", - "auditd.data.hook", - "auditd.data.new-level", - "auditd.data.sauid", - "auditd.data.sig", - "auditd.data.audit_backlog_wait_time", - "auditd.data.printer", - "auditd.data.old-mem", - "auditd.data.perm", - "auditd.data.old_pi", - "auditd.data.state", - "auditd.data.format", - "auditd.data.new_gid", - "auditd.data.tcontext", - "auditd.data.maj", - "auditd.data.watch", - "auditd.data.device", - "auditd.data.grp", - "auditd.data.bool", - "auditd.data.icmp_type", - "auditd.data.new_lock", - "auditd.data.old_prom", - "auditd.data.acl", - "auditd.data.ip", - "auditd.data.new_pi", - "auditd.data.default-context", - "auditd.data.inode_gid", - "auditd.data.new-log_passwd", - "auditd.data.new_pe", - "auditd.data.selected-context", - "auditd.data.cap_fver", - "auditd.data.file", - "auditd.data.net", - "auditd.data.virt", - "auditd.data.cap_pp", - "auditd.data.old-range", - "auditd.data.resrc", - "auditd.data.new-range", - "auditd.data.obj_gid", - "auditd.data.proto", - "auditd.data.old-disk", - "auditd.data.audit_failure", - "auditd.data.inif", - "auditd.data.vm", - "auditd.data.flags", - "auditd.data.nlnk-fam", - "auditd.data.old-fs", - "auditd.data.old-ses", - "auditd.data.seqno", - "auditd.data.fver", - "auditd.data.qbytes", - "auditd.data.seuser", - "auditd.data.cap_fe", - "auditd.data.new-vcpu", - "auditd.data.old-level", - "auditd.data.old_pp", - "auditd.data.daddr", - "auditd.data.old-role", - "auditd.data.ioctlcmd", - "auditd.data.smac", - "auditd.data.apparmor", - "auditd.data.fe", - "auditd.data.perm_mask", - "auditd.data.ses", - "auditd.data.cap_fi", - "auditd.data.obj_uid", - "auditd.data.reason", - "auditd.data.list", - "auditd.data.old_lock", - "auditd.data.bus", - "auditd.data.old_pe", - "auditd.data.new-role", - "auditd.data.prom", - "auditd.data.uri", - "auditd.data.audit_enabled", - "auditd.data.old-log_passwd", - "auditd.data.old-seuser", - "auditd.data.per", - "auditd.data.scontext", - "auditd.data.tclass", - "auditd.data.ver", - "auditd.data.new", - "auditd.data.val", - "auditd.data.img-ctx", - "auditd.data.old-chardev", - "auditd.data.old_val", - "auditd.data.success", - "auditd.data.inode_uid", - "auditd.data.removed", - "auditd.data.socket.port", - "auditd.data.socket.saddr", - "auditd.data.socket.addr", - "auditd.data.socket.family", - "auditd.data.socket.path", - "geoip.continent_name", - "geoip.city_name", - "geoip.region_name", - "geoip.country_iso_code", - "hash.blake2b_256", - "hash.blake2b_384", - "hash.blake2b_512", - "hash.md5", - "hash.sha1", - "hash.sha224", - "hash.sha256", - "hash.sha384", - "hash.sha3_224", - "hash.sha3_256", - "hash.sha3_384", - "hash.sha3_512", - "hash.sha512", - "hash.sha512_224", - "hash.sha512_256", - "hash.xxh64", - "event.origin", - "user.entity_id", - "user.terminal", - "process.entity_id", - "socket.entity_id", - "system.audit.host.timezone.name", - "system.audit.host.hostname", - "system.audit.host.id", - "system.audit.host.architecture", - "system.audit.host.mac", - "system.audit.host.os.platform", - "system.audit.host.os.name", - "system.audit.host.os.family", - "system.audit.host.os.version", - "system.audit.host.os.kernel", - "system.audit.package.entity_id", - "system.audit.package.name", - "system.audit.package.version", - "system.audit.package.release", - "system.audit.package.arch", - "system.audit.package.license", - "system.audit.package.summary", - "system.audit.package.url", - "system.audit.user.name", - "system.audit.user.uid", - "system.audit.user.gid", - "system.audit.user.dir", - "system.audit.user.shell", - "system.audit.user.user_information", - "system.audit.user.password.type", - "fields.*" - ] - }, - "refresh_interval": "5s" - } } } } diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json index dfe0444e0bbd4..9573372d02e9c 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/data.json @@ -1,12 +1,75 @@ { "type": "doc", "value": { - "id": "_uZE6nwBOpWiDweSth_D", - "index": "threat-indicator-0001", + "id": "84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f", + "index": "filebeat-7.12.0-2021.03.10-000001", "source": { - "@timestamp": "2019-09-01T00:41:06.527Z", + "@timestamp": "2021-03-10T14:51:05.766Z", "agent": { - "threat": "03ccb0ce-f65c-4279-a619-05f1d5bb000b" + "ephemeral_id": "34c78500-8df5-4a07-ba87-1cc738b98431", + "hostname": "test", + "id": "08a3d064-8f23-41f3-84b2-f917f6ff9588", + "name": "test", + "type": "filebeat", + "version": "7.12.0" + }, + "fileset": { + "name": "abusemalware" + }, + "threatintel": { + "indicator": { + "first_seen": "2021-03-10T08:02:14.000Z", + "file": { + "size": 80280, + "pe": {}, + "type": "elf", + "hash": { + "sha256": "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3", + "tlsh": "6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE", + "ssdeep": "1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL", + "md5": "9b6c3518a91d23ed77504b5416bfb5b3" + } + }, + "type": "file" + }, + "abusemalware": { + "virustotal": { + "result": "38 / 61", + "link": "https://www.virustotal.com/gui/file/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/detection/f-a04ac6d", + "percent": "62.30" + } + } + }, + "tags": [ + "threatintel-abusemalware", + "forwarded" + ], + "input": { + "type": "httpjson" + }, + "@timestamp": "2021-03-10T14:51:07.663Z", + "ecs": { + "version": "1.6.0" + }, + "related": { + "hash": [ + "9b6c3518a91d23ed77504b5416bfb5b3", + "a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3", + "1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL" + ] + }, + "service": { + "type": "threatintel" + }, + "event": { + "reference": "https://urlhaus-api.abuse.ch/v1/download/a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3/", + "ingested": "2021-03-10T14:51:09.809069Z", + "created": "2021-03-10T14:51:07.663Z", + "kind": "enrichment", + "module": "threatintel", + "category": "threat", + "type": "indicator", + "dataset": "threatintel.abusemalware" } } } diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json index 0c24fa429d908..2c5ab082c4cbf 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json @@ -2,28 +2,25045 @@ "type": "index", "value": { "aliases": { - "threat-indicator": { - "is_write_index": false + "filebeat-7.12.0": { + "is_write_index": true } }, - "index": "threat-indicator-0001", + "index": "filebeat-7.12.0-2021.03.10-000001", "mappings": { + "_meta": { + "beat": "filebeat", + "version": "7.12.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "labels.*" + } + }, + { + "container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "container.labels.*" + } + }, + { + "fields": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "fields.*" + } + }, + { + "docker.container.labels": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.container.labels.*" + } + }, + { + "kubernetes.labels.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.labels.*" + } + }, + { + "kubernetes.annotations.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.annotations.*" + } + }, + { + "kubernetes.service.selectors.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "kubernetes.service.selectors.*" + } + }, + { + "docker.attrs": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "docker.attrs.*" + } + }, + { + "azure.activitylogs.identity.claims.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "azure.activitylogs.identity.claims.*" + } + }, + { + "azure.platformlogs.properties.*": { + "mapping": { + "type": "keyword" + }, + "path_match": "azure.platformlogs.properties.*" + } + }, + { + "kibana.log.meta": { + "mapping": { + "type": "keyword" + }, + "match_mapping_type": "string", + "path_match": "kibana.log.meta.*" + } + }, + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], "properties": { "@timestamp": { "type": "date" }, + "activemq": { + "properties": { + "caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "agent": { "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "ephemeral_id": { "ignore_above": 1024, "type": "keyword" }, - "threat": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { "ignore_above": 1024, "type": "keyword" } } - } + }, + "apache": { + "properties": { + "access": { + "properties": { + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "error": { + "properties": { + "module": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "auditd": { + "properties": { + "log": { + "properties": { + "a0": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "item": { + "ignore_above": 1024, + "type": "keyword" + }, + "items": { + "ignore_above": 1024, + "type": "keyword" + }, + "laddr": { + "type": "ip" + }, + "lport": { + "type": "long" + }, + "new_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "rport": { + "type": "long" + }, + "sequence": { + "type": "long" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "aws": { + "properties": { + "cloudtrail": { + "properties": { + "additional_eventdata": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "console_login": { + "properties": { + "additional_eventdata": { + "properties": { + "login_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mfa_used": { + "type": "boolean" + }, + "mobile_version": { + "type": "boolean" + } + } + } + } + }, + "digest": { + "properties": { + "end_time": { + "type": "date" + }, + "log_files": { + "type": "nested" + }, + "newest_event_time": { + "type": "date" + }, + "oldest_event_time": { + "type": "date" + }, + "previous_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "s3_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + } + } + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "flattened": { + "properties": { + "additional_eventdata": { + "type": "flattened" + }, + "request_parameters": { + "type": "flattened" + }, + "response_elements": { + "type": "flattened" + }, + "service_event_details": { + "type": "flattened" + } + } + }, + "insight_details": { + "type": "flattened" + }, + "management_event": { + "ignore_above": 1024, + "type": "keyword" + }, + "read_only": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_parameters": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "resources": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response_elements": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "service_event_details": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "shared_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_identity": { + "properties": { + "access_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "invoked_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_context": { + "properties": { + "creation_date": { + "type": "date" + }, + "mfa_authenticated": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_issuer": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc_endpoint_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cloudwatch": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "ec2": { + "properties": { + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elb": { + "properties": { + "action_executed": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend": { + "properties": { + "http": { + "properties": { + "response": { + "properties": { + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "backend_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "chosen_cert": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "error": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incoming_tls_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "response_processing_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "ssl_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_group": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_handshake_time": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "tls_named_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3access": { + "properties": { + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket_owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_sent": { + "type": "long" + }, + "cipher_suite": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_header": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_size": { + "type": "long" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "requester": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_time": { + "type": "long" + }, + "turn_around_time": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpcflow": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dstaddr": { + "type": "ip" + }, + "pkt_srcaddr": { + "type": "ip" + }, + "subnet_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "aws-cloudwatch": { + "properties": { + "ingestion_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_stream": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "azure": { + "properties": { + "activitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "properties": { + "authorization": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_definition_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "claims": { + "properties": { + "*": { + "type": "object" + } + } + }, + "claims_initiated_by_user": { + "properties": { + "fullname": { + "ignore_above": 1024, + "type": "keyword" + }, + "givenname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "surname": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "service_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auditlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity_datetime": { + "type": "date" + }, + "activity_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "app": { + "properties": { + "appId": { + "ignore_above": 1024, + "type": "keyword" + }, + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "displayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logged_by_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_resources": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_properties": { + "properties": { + "*": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "consumer_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "enqueued_time": { + "type": "date" + }, + "eventhub": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "partition_id": { + "type": "long" + }, + "platformlogs": { + "properties": { + "ActivityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "Cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "Environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventTimeString": { + "ignore_above": 1024, + "type": "keyword" + }, + "ScaleUnit": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ccpNamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "*": { + "type": "object" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "authorization_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence_number": { + "type": "long" + }, + "signinlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_app_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditional_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "device_detail": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operating_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "trust_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_interactive": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "processing_time_ms": { + "type": "float" + }, + "resource_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_aggregated": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_during_signin": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "error_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "token_issuer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bucket_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cef": { + "properties": { + "device": { + "properties": { + "event_class_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extensions": { + "properties": { + "Reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentAddress": { + "type": "ip" + }, + "agentDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentReceiptTime": { + "type": "date" + }, + "agentTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedAddress": { + "type": "ip" + }, + "agentTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentType": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "agentZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "applicationProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "baseEventCount": { + "type": "long" + }, + "bytesIn": { + "type": "long" + }, + "bytesOut": { + "type": "long" + }, + "categoryBehavior": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryDeviceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryObject": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "categorySignificance": { + "ignore_above": 1024, + "type": "keyword" + }, + "categoryTechnique": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "customerURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationAddress": { + "type": "ip" + }, + "destinationDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationGeoLatitude": { + "type": "double" + }, + "destinationGeoLongitude": { + "type": "double" + }, + "destinationHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationPort": { + "type": "long" + }, + "destinationProcessId": { + "type": "long" + }, + "destinationProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedAddress": { + "type": "ip" + }, + "destinationTranslatedPort": { + "type": "long" + }, + "destinationTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "destinationZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceAddress": { + "type": "ip" + }, + "deviceCustomDate1": { + "type": "date" + }, + "deviceCustomDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomDate2": { + "type": "date" + }, + "deviceCustomDate2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint1": { + "type": "double" + }, + "deviceCustomFloatingPoint1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint2": { + "type": "double" + }, + "deviceCustomFloatingPoint2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint3": { + "type": "double" + }, + "deviceCustomFloatingPoint3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomFloatingPoint4": { + "type": "double" + }, + "deviceCustomFloatingPoint4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address1": { + "type": "ip" + }, + "deviceCustomIPv6Address1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address2": { + "type": "ip" + }, + "deviceCustomIPv6Address2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address3": { + "type": "ip" + }, + "deviceCustomIPv6Address3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomIPv6Address4": { + "type": "ip" + }, + "deviceCustomIPv6Address4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber1": { + "type": "long" + }, + "deviceCustomNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber2": { + "type": "long" + }, + "deviceCustomNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomNumber3": { + "type": "long" + }, + "deviceCustomNumber3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString3Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString4Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString5Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceCustomString6Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceDirection": { + "type": "long" + }, + "deviceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceEventCategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceExternalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFacility": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber1": { + "type": "long" + }, + "deviceFlexNumber1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceFlexNumber2": { + "type": "long" + }, + "deviceFlexNumber2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceInboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceOutboundInterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "devicePayloadId": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceProcessId": { + "type": "long" + }, + "deviceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceReceiptTime": { + "type": "date" + }, + "deviceTimeZone": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedAddress": { + "type": "ip" + }, + "deviceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "endTime": { + "type": "date" + }, + "eventId": { + "type": "long" + }, + "eventOutcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "externalId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileCreateTime": { + "type": "date" + }, + "fileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileModificationTime": { + "type": "date" + }, + "filePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileSize": { + "type": "long" + }, + "fileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexDate1": { + "type": "date" + }, + "flexDate1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString1Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2": { + "ignore_above": 1024, + "type": "keyword" + }, + "flexString2Label": { + "ignore_above": 1024, + "type": "keyword" + }, + "ifname": { + "ignore_above": 1024, + "type": "keyword" + }, + "inzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "loguid": { + "ignore_above": 1024, + "type": "keyword" + }, + "managerReceiptTime": { + "type": "date" + }, + "match_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileCreateTime": { + "type": "date" + }, + "oldFileHash": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileId": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileModificationTime": { + "type": "date" + }, + "oldFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFilePermission": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldFileSize": { + "type": "long" + }, + "oldFileType": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "originsicname": { + "ignore_above": 1024, + "type": "keyword" + }, + "outzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawEvent": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestClientApplication": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestContext": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestCookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestMethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "requestUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequencenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceAddress": { + "type": "ip" + }, + "sourceDnsDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceGeoLatitude": { + "type": "double" + }, + "sourceGeoLongitude": { + "type": "double" + }, + "sourceHostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceMacAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceNtDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourcePort": { + "type": "long" + }, + "sourceProcessId": { + "type": "long" + }, + "sourceProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedAddress": { + "type": "ip" + }, + "sourceTranslatedPort": { + "type": "long" + }, + "sourceTranslatedZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceTranslatedZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceUserPrivileges": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneExternalID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceZoneURI": { + "ignore_above": 1024, + "type": "keyword" + }, + "startTime": { + "type": "date" + }, + "transportProtocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "checkpoint": { + "properties": { + "action_reason": { + "type": "long" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "allocated_ports": { + "type": "long" + }, + "analyzed_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "answer_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "anti_virus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "app_package": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_repackaged": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sid_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "appi_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "arrival_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "attachments_num": { + "type": "long" + }, + "attack_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "authority_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "authorization": { + "ignore_above": 1024, + "type": "keyword" + }, + "bcc": { + "ignore_above": 1024, + "type": "keyword" + }, + "blade_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "broker_publisher": { + "type": "ip" + }, + "browse_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_bytes": { + "type": "long" + }, + "calc_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "capacity": { + "type": "long" + }, + "capture_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "cgnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "chunk_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_type_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence_level": { + "type": "long" + }, + "connection_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectivity_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "conns_amount": { + "type": "long" + }, + "content_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_risk": { + "type": "long" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_num": { + "type": "long" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieI": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookieR": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_message": { + "type": "long" + }, + "cvpn_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvpn_resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce-rpc_interface_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "detected_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "developer_certificate_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "diameter_app_ID": { + "type": "long" + }, + "diameter_cmd_code": { + "type": "long" + }, + "diameter_msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_action_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_additional_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_data_type_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_files_number": { + "type": "long" + }, + "dlp_fingerprint_long_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_fingerprint_short_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_recipients": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_related_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_relevant_data_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_directories_number": { + "type": "long" + }, + "dlp_repository_files_number": { + "type": "long" + }, + "dlp_repository_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_not_scanned_directories_percentage": { + "type": "long" + }, + "dlp_repository_reached_directories_number": { + "type": "long" + }, + "dlp_repository_root_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_repository_scan_progress": { + "type": "long" + }, + "dlp_repository_scanned_directories_number": { + "type": "long" + }, + "dlp_repository_scanned_files_number": { + "type": "long" + }, + "dlp_repository_scanned_total_size": { + "type": "long" + }, + "dlp_repository_skipped_files_number": { + "type": "long" + }, + "dlp_repository_total_size": { + "type": "long" + }, + "dlp_repository_unreachable_directories_number": { + "type": "long" + }, + "dlp_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_template_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_transint": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_violation_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_watermark_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_word_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "drop_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_incoming": { + "type": "long" + }, + "dropped_outgoing": { + "type": "long" + }, + "dropped_total": { + "type": "long" + }, + "drops_amount": { + "type": "long" + }, + "dst_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstkeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duplicate": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_control_analysis": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_recipients_num": { + "type": "long" + }, + "email_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spam_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_spool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "emulated_on": { + "ignore_above": 1024, + "type": "keyword" + }, + "encryption_failure": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_user_firewall_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_associated_policies": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_noncompliance_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "esod_scan_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_count": { + "type": "long" + }, + "expire_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_file_verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_hit_time": { + "type": "long" + }, + "frequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs-proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_subproduct": { + "ignore_above": 1024, + "type": "keyword" + }, + "hide_ip": { + "type": "ip" + }, + "hit": { + "type": "long" + }, + "host_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_inspection_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_validation": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_more_info": { + "type": "long" + }, + "icap_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_server_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "icap_service_id": { + "type": "long" + }, + "icmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "id": { + "type": "long" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "impacted_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "information": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_item": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspection_settings_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed_products": { + "ignore_above": 1024, + "type": "keyword" + }, + "int_end": { + "type": "long" + }, + "int_start": { + "type": "long" + }, + "integrity_av_invoke_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalid_file_size": { + "type": "long" + }, + "ip_option": { + "type": "long" + }, + "isp_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_hit_time": { + "type": "long" + }, + "last_rematch_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "layer_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit_applied": { + "type": "long" + }, + "limit_requested": { + "type": "long" + }, + "link_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "links_num": { + "type": "long" + }, + "log_delay": { + "type": "long" + }, + "log_id": { + "type": "long" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "long_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_fk": { + "type": "long" + }, + "match_id": { + "type": "long" + }, + "matched_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_file_percentage": { + "type": "long" + }, + "matched_file_text_segments": { + "type": "long" + }, + "media_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_size": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "methods": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "mirror_and_decrypt_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_collection": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_command_and_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_credential_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_defense_evasion": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_discovery": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_exfiltration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_initial_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_lateral_movement": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_persistence": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_privilege_escalation": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat46": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "type": "long" + }, + "nat_exhausted_pool": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "type": "long" + }, + "needs_browse_time": { + "type": "long" + }, + "next_hop_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_scheduled_scan_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_of_errors": { + "type": "long" + }, + "objecttable": { + "ignore_above": 1024, + "type": "keyword" + }, + "objecttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "observable_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_sic_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_queue_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_amount": { + "type": "long" + }, + "packet_capture_unique_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "type": "long" + }, + "peer_gateway": { + "type": "ip" + }, + "peer_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_ip_probing_status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "performance_impact": { + "type": "long" + }, + "policy_mgmt": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ports_usage": { + "type": "long" + }, + "ppp": { + "ignore_above": 1024, + "type": "keyword" + }, + "precise_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_machine_name": { + "type": "long" + }, + "proxy_src_ip": { + "type": "ip" + }, + "proxy_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "question_rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_parent_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer_self_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_ip-phones": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rematch_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediated_files": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_status": { + "type": "long" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpc_prog": { + "type": "long" + }, + "rule": { + "type": "long" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rulebase_id": { + "type": "long" + }, + "scan_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_hosts_day": { + "type": "long" + }, + "scan_hosts_hour": { + "type": "long" + }, + "scan_hosts_week": { + "type": "long" + }, + "scan_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_mail": { + "type": "long" + }, + "scan_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "scan_results": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_download_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrub_total_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "scrubbed_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_association_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sctp_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "scv_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "securexl_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_communication": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_hashes": { + "ignore_above": 1024, + "type": "keyword" + }, + "similar_strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "similiar_iocs": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_object": { + "type": "long" + }, + "source_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "special_properties": { + "type": "long" + }, + "specific_data_type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "spyware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "spyware_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "srckeyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_update": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_policy_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subs_exp": { + "type": "date" + }, + "subscriber": { + "type": "ip" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppressed_logs": { + "type": "long" + }, + "sync": { + "ignore_above": 1024, + "type": "keyword" + }, + "sys_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_end_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_packet_out_of_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "te_verdict_determined_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ticket_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_server_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_archive_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_attachments": { + "type": "long" + }, + "triggered_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_detected_day": { + "type": "long" + }, + "unique_detected_hour": { + "type": "long" + }, + "unique_detected_week": { + "type": "long" + }, + "update_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "via": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_action_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_attach_sz": { + "type": "long" + }, + "voip_call_dir": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_call_term_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_config": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_est_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_exp": { + "type": "long" + }, + "voip_from_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_codec": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_ipp": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_media_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reason_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reg_int": { + "type": "long" + }, + "voip_reg_ipp": { + "type": "long" + }, + "voip_reg_period": { + "type": "long" + }, + "voip_reg_server": { + "type": "ip" + }, + "voip_reg_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_reject_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_to_user_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn_feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "watermark": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_server_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "word_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cisco": { + "properties": { + "amp": { + "properties": { + "cloud_ioc": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_description": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "computer": { + "properties": { + "active": { + "type": "boolean" + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_ip": { + "type": "ip" + }, + "network_addresses": { + "type": "flattened" + } + } + }, + "connector_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection": { + "ignore_above": 1024, + "type": "keyword" + }, + "detection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "archived_file": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identify": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "attack_details": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "attacked_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "base_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicators": { + "type": "flattened" + }, + "suspicious_files": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group_guids": { + "ignore_above": 1024, + "type": "keyword" + }, + "network_info": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "nfm": { + "properties": { + "direction": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "parent": { + "properties": { + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "identify": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "related": { + "properties": { + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scan": { + "properties": { + "clean": { + "type": "boolean" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "malicious_detections": { + "type": "long" + }, + "scanned_files": { + "type": "long" + }, + "scanned_paths": { + "type": "long" + }, + "scanned_processes": { + "type": "long" + } + } + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + }, + "threat_hunting": { + "properties": { + "incident_end_time": { + "type": "date" + }, + "incident_hunt_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_report_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_start_time": { + "type": "date" + }, + "incident_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "incident_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactics": { + "type": "flattened" + }, + "techniques": { + "type": "flattened" + } + } + }, + "timestamp_nanoseconds": { + "type": "date" + }, + "vulnerabilities": { + "type": "flattened" + } + } + }, + "asa": { + "properties": { + "assigned_ip": { + "type": "ip" + }, + "burst": { + "properties": { + "avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "cumulative_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "current_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line_arguments": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "properties": { + "new": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ftd": { + "properties": { + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "short" + }, + "icmp_type": { + "type": "short" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "type": "object" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ios": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "umbrella": { + "properties": { + "amp_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_malware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_detections": { + "ignore_above": 1024, + "type": "keyword" + }, + "blocked_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "datacenter": { + "ignore_above": 1024, + "type": "keyword" + }, + "identities": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "puas": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha_sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "container": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "coredns": { + "properties": { + "dnssec_ok": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + } + }, + "crowdstrike": { + "properties": { + "event": { + "properties": { + "AuditKeyValues": { + "type": "nested" + }, + "CommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "Commands": { + "ignore_above": 1024, + "type": "keyword" + }, + "ComputerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ConnectionDirection": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomerId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DetectDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "DetectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "DetectName": { + "ignore_above": 1024, + "type": "keyword" + }, + "DeviceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "EndTimestamp": { + "type": "date" + }, + "EventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExecutablesWritten": { + "type": "nested" + }, + "FalconHostLink": { + "ignore_above": 1024, + "type": "keyword" + }, + "FileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "FilePath": { + "ignore_above": 1024, + "type": "keyword" + }, + "FineScore": { + "type": "float" + }, + "Flags": { + "properties": { + "Audit": { + "type": "boolean" + }, + "Log": { + "type": "boolean" + }, + "Monitor": { + "type": "boolean" + } + } + }, + "GrandparentCommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "GrandparentImageFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "HostName": { + "ignore_above": 1024, + "type": "keyword" + }, + "HostnameField": { + "ignore_above": 1024, + "type": "keyword" + }, + "ICMPCode": { + "ignore_above": 1024, + "type": "keyword" + }, + "ICMPType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IOCType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IOCValue": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImageFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentEndTime": { + "type": "date" + }, + "IncidentStartTime": { + "type": "date" + }, + "Ipv": { + "ignore_above": 1024, + "type": "keyword" + }, + "LateralMovement": { + "type": "long" + }, + "LocalAddress": { + "type": "ip" + }, + "LocalIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "LocalPort": { + "type": "long" + }, + "MACAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "MD5String": { + "ignore_above": 1024, + "type": "keyword" + }, + "MachineDomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "MatchCount": { + "type": "long" + }, + "MatchCountSinceLastReport": { + "type": "long" + }, + "NetworkProfile": { + "ignore_above": 1024, + "type": "keyword" + }, + "Objective": { + "ignore_above": 1024, + "type": "keyword" + }, + "OperationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "PID": { + "type": "long" + }, + "ParentCommandLine": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentImageFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ParentProcessId": { + "type": "long" + }, + "PatternDispositionDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "PatternDispositionFlags": { + "type": "object" + }, + "PatternDispositionValue": { + "type": "long" + }, + "PolicyID": { + "ignore_above": 1024, + "type": "keyword" + }, + "PolicyName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessEndTime": { + "type": "date" + }, + "ProcessId": { + "type": "long" + }, + "ProcessStartTime": { + "type": "date" + }, + "Protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "RemoteAddress": { + "type": "ip" + }, + "RemotePort": { + "type": "long" + }, + "RuleAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleDescription": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleFamilyID": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RuleName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SHA1String": { + "ignore_above": 1024, + "type": "keyword" + }, + "SHA256String": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensorId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ServiceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "type": "long" + }, + "SeverityName": { + "ignore_above": 1024, + "type": "keyword" + }, + "StartTimestamp": { + "type": "date" + }, + "State": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "Success": { + "type": "boolean" + }, + "Tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "Technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "Timestamp": { + "type": "date" + }, + "TreeID": { + "ignore_above": 1024, + "type": "keyword" + }, + "UTCTimestamp": { + "type": "date" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserIp": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "metadata": { + "properties": { + "customerIDString": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventCreationTime": { + "type": "date" + }, + "eventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "docker": { + "properties": { + "attrs": { + "type": "object" + }, + "container": { + "properties": { + "labels": { + "type": "object" + } + } + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "elasticsearch": { + "properties": { + "audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "indices": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalidate": { + "properties": { + "apikeys": { + "properties": { + "owned_by_authenticated_user": { + "type": "boolean" + } + } + } + } + }, + "layer": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "origin": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "params": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "run_as": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "realm": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "gc": { + "properties": { + "heap": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + }, + "jvm_runtime_sec": { + "type": "float" + }, + "old_gen": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + }, + "phase": { + "properties": { + "class_unload_time_sec": { + "type": "float" + }, + "cpu_time": { + "properties": { + "real_sec": { + "type": "float" + }, + "sys_sec": { + "type": "float" + }, + "user_sec": { + "type": "float" + } + } + }, + "duration_sec": { + "type": "float" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parallel_rescan_time_sec": { + "type": "float" + }, + "scrub_string_table_time_sec": { + "type": "float" + }, + "scrub_symbol_table_time_sec": { + "type": "float" + }, + "weak_refs_processing_time_sec": { + "type": "float" + } + } + }, + "stopping_threads_time_sec": { + "type": "float" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threads_total_stop_time_sec": { + "type": "float" + }, + "young_gen": { + "properties": { + "size_kb": { + "type": "long" + }, + "used_kb": { + "type": "long" + } + } + } + } + }, + "index": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "node": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "gc": { + "properties": { + "collection_duration": { + "properties": { + "ms": { + "type": "float" + } + } + }, + "observation_duration": { + "properties": { + "ms": { + "type": "float" + } + } + }, + "overhead_seq": { + "type": "long" + }, + "young": { + "properties": { + "one": { + "type": "long" + }, + "two": { + "type": "long" + } + } + } + } + }, + "stacktrace": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + } + } + }, + "shard": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "extra_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing": { + "ignore_above": 1024, + "type": "keyword" + }, + "search_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "stats": { + "ignore_above": 1024, + "type": "keyword" + }, + "took": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_hits": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_shards": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "envoyproxy": { + "properties": { + "authority": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "upstream_service_time": { + "type": "long" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + }, + "stack_trace": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fields": { + "type": "object" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "fileset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forcepoint": { + "properties": { + "virus_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fortinet": { + "properties": { + "file": { + "properties": { + "hash": { + "properties": { + "crc32": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "acct_stat": { + "ignore_above": 1024, + "type": "keyword" + }, + "acktime": { + "ignore_above": 1024, + "type": "keyword" + }, + "act": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "type": "ip" + }, + "addr_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "addrgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "adgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "age": { + "type": "long" + }, + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmid": { + "type": "long" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticscksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticssubmit": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "appact": { + "ignore_above": 1024, + "type": "keyword" + }, + "appid": { + "type": "long" + }, + "applist": { + "ignore_above": 1024, + "type": "keyword" + }, + "apprisk": { + "ignore_above": 1024, + "type": "keyword" + }, + "apscan": { + "ignore_above": 1024, + "type": "keyword" + }, + "apsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "apstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "aptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned": { + "type": "ip" + }, + "assignip": { + "type": "ip" + }, + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackcontextid": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackid": { + "type": "long" + }, + "auditid": { + "type": "long" + }, + "auditscore": { + "ignore_above": 1024, + "type": "keyword" + }, + "audittime": { + "type": "long" + }, + "authgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "authid": { + "ignore_above": 1024, + "type": "keyword" + }, + "authproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "authserver": { + "ignore_above": 1024, + "type": "keyword" + }, + "bandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "banned_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "banword": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "botnetip": { + "type": "ip" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "carrier_ep": { + "ignore_above": 1024, + "type": "keyword" + }, + "cat": { + "type": "long" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cdrcontent": { + "ignore_above": 1024, + "type": "keyword" + }, + "centralnatid": { + "type": "long" + }, + "cert": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "certhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgattr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgobj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgpath": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtxpower": { + "type": "long" + }, + "channel": { + "type": "long" + }, + "channeltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "chassisid": { + "type": "long" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "chgheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "cldobjid": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "clouduser": { + "ignore_above": 1024, + "type": "keyword" + }, + "column": { + "type": "long" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "configcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "conserve": { + "ignore_above": 1024, + "type": "keyword" + }, + "constraint": { + "ignore_above": 1024, + "type": "keyword" + }, + "contentdisarmed": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "countapp": { + "type": "long" + }, + "countav": { + "type": "long" + }, + "countcifs": { + "type": "long" + }, + "countdlp": { + "type": "long" + }, + "countdns": { + "type": "long" + }, + "countemail": { + "type": "long" + }, + "countff": { + "type": "long" + }, + "countips": { + "type": "long" + }, + "countssh": { + "type": "long" + }, + "countssl": { + "type": "long" + }, + "countwaf": { + "type": "long" + }, + "countweb": { + "type": "long" + }, + "cpu": { + "type": "long" + }, + "craction": { + "type": "long" + }, + "criticalcount": { + "type": "long" + }, + "crl": { + "ignore_above": 1024, + "type": "keyword" + }, + "crlevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "crscore": { + "type": "long" + }, + "cveid": { + "ignore_above": 1024, + "type": "keyword" + }, + "daemon": { + "ignore_above": 1024, + "type": "keyword" + }, + "datarange": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "ddnsserver": { + "type": "ip" + }, + "desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "detectionmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "devcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "devintfname": { + "ignore_above": 1024, + "type": "keyword" + }, + "devtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "dintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "ignore_above": 1024, + "type": "keyword" + }, + "disklograte": { + "type": "long" + }, + "dlpextra": { + "ignore_above": 1024, + "type": "keyword" + }, + "docsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlauthstate": { + "type": "long" + }, + "domainctrlauthtype": { + "type": "long" + }, + "domainctrldomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlip": { + "type": "ip" + }, + "domainctrlname": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlprotocoltype": { + "type": "long" + }, + "domainctrlusername": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainfilteridx": { + "type": "long" + }, + "domainfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "ds": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstdevtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstosversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstserver": { + "type": "long" + }, + "dstssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstunauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eapolcnt": { + "type": "long" + }, + "eapoltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "encrypt": { + "type": "long" + }, + "encryption": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch": { + "type": "long" + }, + "espauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "esptransform": { + "ignore_above": 1024, + "type": "keyword" + }, + "exch": { + "ignore_above": 1024, + "type": "keyword" + }, + "exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "expectedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "expiry": { + "ignore_above": 1024, + "type": "keyword" + }, + "fams_pause": { + "type": "long" + }, + "fazlograte": { + "type": "long" + }, + "fctemssn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fctuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "filefilter": { + "ignore_above": 1024, + "type": "keyword" + }, + "filehashsrc": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtercat": { + "ignore_above": 1024, + "type": "keyword" + }, + "filteridx": { + "type": "long" + }, + "filtername": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtertype": { + "ignore_above": 1024, + "type": "keyword" + }, + "fortiguardresp": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwardedfor": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "frametype": { + "ignore_above": 1024, + "type": "keyword" + }, + "freediskstorage": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "from_vcluster": { + "type": "long" + }, + "fsaverdict": { + "ignore_above": 1024, + "type": "keyword" + }, + "fwserver_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "type": "ip" + }, + "green": { + "ignore_above": 1024, + "type": "keyword" + }, + "groupid": { + "type": "long" + }, + "ha-prio": { + "type": "long" + }, + "ha_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "handshake": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hbdn_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "highcount": { + "type": "long" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "iaid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "type": "long" + }, + "in_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentserialno": { + "type": "long" + }, + "infected": { + "type": "long" + }, + "infectedfilelevel": { + "type": "long" + }, + "informationsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "init": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "intf": { + "ignore_above": 1024, + "type": "keyword" + }, + "invalidmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "iptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "keyword": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "lanin": { + "type": "long" + }, + "lanout": { + "type": "long" + }, + "lease": { + "type": "long" + }, + "license_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "limit": { + "type": "long" + }, + "line": { + "ignore_above": 1024, + "type": "keyword" + }, + "live": { + "type": "long" + }, + "local": { + "type": "ip" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "ignore_above": 1024, + "type": "keyword" + }, + "lowcount": { + "type": "long" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "malform_data": { + "type": "long" + }, + "malform_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "manuf": { + "ignore_above": 1024, + "type": "keyword" + }, + "masterdstmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mastersrcmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mediumcount": { + "type": "long" + }, + "mem": { + "type": "long" + }, + "meshmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mgmtcnt": { + "type": "long" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-name": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitor-type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mpsk": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "ignore_above": 1024, + "type": "keyword" + }, + "netid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "newchannel": { + "type": "long" + }, + "newchassisid": { + "type": "long" + }, + "newslot": { + "type": "long" + }, + "nextstat": { + "type": "long" + }, + "nf_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "noise": { + "type": "long" + }, + "old_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldchannel": { + "type": "long" + }, + "oldchassisid": { + "type": "long" + }, + "oldslot": { + "type": "long" + }, + "oldsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldwprof": { + "ignore_above": 1024, + "type": "keyword" + }, + "onwire": { + "ignore_above": 1024, + "type": "keyword" + }, + "opercountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "opertxpower": { + "type": "long" + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "osversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "outintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "passedcount": { + "type": "long" + }, + "passwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_notif": { + "ignore_above": 1024, + "type": "keyword" + }, + "phase2_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "policytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "poolname": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "portbegin": { + "type": "long" + }, + "portend": { + "type": "long" + }, + "probeproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "processtime": { + "type": "long" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "profilegroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "profiletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtypeval": { + "type": "long" + }, + "quarskip": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaexceeded": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotamax": { + "type": "long" + }, + "quotatype": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotaused": { + "type": "long" + }, + "radioband": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioid": { + "type": "long" + }, + "radioidclosest": { + "type": "long" + }, + "radioiddetected": { + "type": "long" + }, + "rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdataid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcvddelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received": { + "type": "long" + }, + "receivedsignature": { + "ignore_above": 1024, + "type": "keyword" + }, + "red": { + "ignore_above": 1024, + "type": "keyword" + }, + "referralurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "type": "ip" + }, + "remotewtptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "reporttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "reqtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "type": "long" + }, + "rsso_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruledata": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruletype": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanned": { + "type": "long" + }, + "scantime": { + "type": "long" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensitivity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sentdelta": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "serialno": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "type": "long" + }, + "setuprate": { + "type": "long" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperdroprcvdbyte": { + "type": "long" + }, + "shaperdropsentbyte": { + "type": "long" + }, + "shaperperipdropbyte": { + "type": "long" + }, + "shaperperipname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shaperrcvdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapersentname": { + "ignore_above": 1024, + "type": "keyword" + }, + "shapingpolicyid": { + "type": "long" + }, + "signal": { + "type": "long" + }, + "size": { + "type": "long" + }, + "slot": { + "type": "long" + }, + "sn": { + "ignore_above": 1024, + "type": "keyword" + }, + "snclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "sndetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmeshparent": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_int": { + "ignore_above": 1024, + "type": "keyword" + }, + "srccountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcfamily": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcinetsvc": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcname": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcserver": { + "type": "long" + }, + "srcssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sscname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssllocal": { + "ignore_above": 1024, + "type": "keyword" + }, + "sslremote": { + "ignore_above": 1024, + "type": "keyword" + }, + "stacount": { + "type": "long" + }, + "stage": { + "ignore_above": 1024, + "type": "keyword" + }, + "stamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "stitch": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "submodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "subservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "suspicious": { + "type": "long" + }, + "switchproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "tamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "threattype": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_vcluster": { + "type": "long" + }, + "total": { + "type": "long" + }, + "totalsession": { + "type": "long" + }, + "trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "trandisp": { + "ignore_above": 1024, + "type": "keyword" + }, + "transid": { + "type": "long" + }, + "translationid": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "ignore_above": 1024, + "type": "keyword" + }, + "trueclntip": { + "type": "ip" + }, + "tunnelid": { + "type": "long" + }, + "tunnelip": { + "type": "ip" + }, + "tunneltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ui": { + "ignore_above": 1024, + "type": "keyword" + }, + "unauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "type": "long" + }, + "urlfilteridx": { + "type": "long" + }, + "urlfilterlist": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlsource": { + "ignore_above": 1024, + "type": "keyword" + }, + "urltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "used_for_type": { + "type": "long" + }, + "utmaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "vap": { + "ignore_above": 1024, + "type": "keyword" + }, + "vapmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "vcluster": { + "type": "long" + }, + "vcluster_member": { + "type": "long" + }, + "vcluster_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "vdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendorurl": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vip": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusid": { + "type": "long" + }, + "voip_proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntunnel": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "vrf": { + "type": "long" + }, + "vulncat": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnid": { + "type": "long" + }, + "vulnname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlid": { + "type": "long" + }, + "vwlquality": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwpvlanid": { + "type": "long" + }, + "wanin": { + "type": "long" + }, + "wanoptapptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanout": { + "type": "long" + }, + "weakwepiv": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthuser": { + "ignore_above": 1024, + "type": "keyword" + }, + "xid": { + "type": "long" + } + } + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "google_workspace": { + "properties": { + "actor": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "admin": { + "properties": { + "alert": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "api": { + "properties": { + "client": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scopes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application": { + "properties": { + "asp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_order_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_purchased": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bulk_upload": { + "properties": { + "failed": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "chrome_licenses": { + "properties": { + "allowed": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chrome_os": { + "properties": { + "session_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "command_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "distribution": { + "properties": { + "entity": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "secondary_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "log_search_filter": { + "properties": { + "end_date": { + "type": "date" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_date": { + "type": "date" + } + } + }, + "quarantine_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_dump": { + "properties": { + "include_deleted": { + "type": "boolean" + }, + "package_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_monitor": { + "properties": { + "dest_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "properties": { + "chat": { + "ignore_above": 1024, + "type": "keyword" + }, + "draft": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "allowed_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "priorities": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "info_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mdm": { + "properties": { + "token": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile": { + "properties": { + "action": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "certificate": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "company_owned_devices": { + "type": "long" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_featured_services_selection": { + "ignore_above": 1024, + "type": "keyword" + }, + "oauth2": { + "properties": { + "application": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_unit": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "print_server": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "printer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "privilege": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "role": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "setting": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "birthdate": { + "type": "date" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "nickname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_defined_setting": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "verification_method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "drive": { + "properties": { + "added_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "billable": { + "type": "boolean" + }, + "destination_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_shared_drive": { + "type": "boolean" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "membership_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "originating_app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_event": { + "type": "boolean" + }, + "removed_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_settings_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sheets_import_range_recipient_doc": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility_change": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "groups": { + "properties": { + "acl_permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "member": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "moderation_action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "affected_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "challenge_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_second_factor": { + "type": "boolean" + }, + "is_suspicious": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saml": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgunit_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_level_status_code": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + } + } + }, + "googlecloud": { + "properties": { + "audit": { + "properties": { + "authentication_info": { + "properties": { + "authority_selector": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_email": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "method_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "num_response_items": { + "type": "long" + }, + "request": { + "properties": { + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_metadata": { + "properties": { + "caller_ip": { + "type": "ip" + }, + "caller_supplied_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_location": { + "properties": { + "current_locations": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "details": { + "properties": { + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "proto_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "firewall": { + "properties": { + "rule_details": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "vpcflow": { + "properties": { + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gsuite": { + "properties": { + "actor": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "admin": { + "properties": { + "alert": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "api": { + "properties": { + "client": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scopes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application": { + "properties": { + "asp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_order_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "licences_purchased": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bulk_upload": { + "properties": { + "failed": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "chrome_licenses": { + "properties": { + "allowed": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chrome_os": { + "properties": { + "session_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device": { + "properties": { + "command_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "distribution": { + "properties": { + "entity": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "secondary_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "log_search_filter": { + "properties": { + "end_date": { + "type": "date" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "ip": { + "type": "ip" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_date": { + "type": "date" + } + } + }, + "quarantine_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_dump": { + "properties": { + "include_deleted": { + "type": "boolean" + }, + "package_content": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email_monitor": { + "properties": { + "dest_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "properties": { + "chat": { + "ignore_above": 1024, + "type": "keyword" + }, + "draft": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming": { + "ignore_above": 1024, + "type": "keyword" + }, + "outgoing": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group": { + "properties": { + "allowed_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "priorities": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "info_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "managed_configuration": { + "ignore_above": 1024, + "type": "keyword" + }, + "mdm": { + "properties": { + "token": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile": { + "properties": { + "action": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "certificate": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "company_owned_devices": { + "type": "long" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_featured_services_selection": { + "ignore_above": 1024, + "type": "keyword" + }, + "oauth2": { + "properties": { + "application": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_unit": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "print_server": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "printer": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "privilege": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "role": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "setting": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "birthdate": { + "type": "date" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "nickname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_defined_setting": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "verification_method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "drive": { + "properties": { + "added_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "billable": { + "type": "boolean" + }, + "destination_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_shared_drive": { + "type": "boolean" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "membership_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "originating_app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_event": { + "type": "boolean" + }, + "removed_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_drive_settings_change_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sheets_import_range_recipient_doc": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_folder_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility": { + "ignore_above": 1024, + "type": "keyword" + }, + "visibility_change": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "groups": { + "properties": { + "acl_permission": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "member": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "moderation_action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "affected_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "challenge_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_second_factor": { + "type": "boolean" + }, + "is_suspicious": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saml": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgunit_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_level_status_code": { + "type": "long" + }, + "status_code": { + "type": "long" + } + } + } + } + }, + "haproxy": { + "properties": { + "backend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_queue": { + "type": "long" + }, + "bind_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_read": { + "type": "long" + }, + "connection_wait_time_ms": { + "type": "long" + }, + "connections": { + "properties": { + "active": { + "type": "long" + }, + "backend": { + "type": "long" + }, + "frontend": { + "type": "long" + }, + "retries": { + "type": "long" + }, + "server": { + "type": "long" + } + } + }, + "error_message": { + "norms": false, + "type": "text" + }, + "frontend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "request": { + "properties": { + "captured_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "captured_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_request_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_wait_ms": { + "type": "long" + }, + "time_wait_without_data_ms": { + "type": "long" + } + } + }, + "response": { + "properties": { + "captured_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "captured_headers": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_queue": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp": { + "properties": { + "connection_waiting_time_ms": { + "type": "long" + } + } + }, + "termination_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_backend_connect": { + "type": "long" + }, + "time_queue": { + "type": "long" + }, + "total_waiting_time_ms": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "containerized": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ibmmq": { + "properties": { + "errorlog": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "arithinsert": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "commentinsert": { + "ignore_above": 1024, + "type": "keyword" + }, + "errordescription": { + "norms": false, + "type": "text" + }, + "explanation": { + "ignore_above": 1024, + "type": "keyword" + }, + "installation": { + "ignore_above": 1024, + "type": "keyword" + }, + "qmgr": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "icinga": { + "properties": { + "debug": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "main": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "startup": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "icmp": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "igmp": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iis": { + "properties": { + "access": { + "properties": { + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_status": { + "type": "long" + }, + "win32_status": { + "type": "long" + } + } + }, + "error": { + "properties": { + "queue_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iptables": { + "properties": { + "ether_type": { + "type": "long" + }, + "flow_label": { + "type": "long" + }, + "fragment_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment_offset": { + "type": "long" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "id": { + "type": "long" + }, + "parameter": { + "type": "long" + }, + "redirect": { + "type": "ip" + }, + "seq": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "incomplete_bytes": { + "type": "long" + }, + "input_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "output_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "precedence_bits": { + "type": "short" + }, + "tcp": { + "properties": { + "ack": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "reserved_bits": { + "type": "short" + }, + "seq": { + "type": "long" + }, + "window": { + "type": "long" + } + } + }, + "tos": { + "type": "long" + }, + "ttl": { + "type": "long" + }, + "ubiquiti": { + "properties": { + "input_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_set": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "udp": { + "properties": { + "length": { + "type": "long" + } + } + } + } + }, + "jolokia": { + "properties": { + "agent": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "secured": { + "type": "boolean" + }, + "server": { + "properties": { + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "juniper": { + "properties": { + "srx": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "apbr_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_characteristics": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip": { + "type": "ip" + }, + "connection_hit_rate": { + "type": "long" + }, + "connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_hit_rate": { + "type": "long" + }, + "context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_value_hit_rate": { + "type": "long" + }, + "ddos_application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dscp_value": { + "type": "long" + }, + "dst_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed_time": { + "type": "date" + }, + "encrypted": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch_time": { + "type": "date" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "export_id": { + "type": "long" + }, + "feed_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_hash_lookup": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "type": "long" + }, + "inbound_bytes": { + "type": "long" + }, + "inbound_packets": { + "type": "long" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "logical_system_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_connection_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "nested_application": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "occur_count": { + "type": "long" + }, + "outbound_bytes": { + "type": "long" + }, + "outbound_packets": { + "type": "long" + }, + "packet_log_id": { + "type": "long" + }, + "peer_destination_address": { + "type": "ip" + }, + "peer_destination_port": { + "type": "long" + }, + "peer_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_source_address": { + "type": "ip" + }, + "peer_source_port": { + "type": "long" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "repeat_count": { + "type": "long" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing_instance": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleebase_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sample_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "secure_web_proxy_session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id_32": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_nat_rule_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_vrf_grp": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "temporary_filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "th": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_count": { + "type": "long" + }, + "time_period": { + "type": "long" + }, + "time_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uplink_rx_bytes": { + "type": "long" + }, + "uplink_tx_bytes": { + "type": "long" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "verdict_number": { + "type": "long" + }, + "verdict_source": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "kafka": { + "properties": { + "block_timestamp": { + "type": "date" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "ignore_above": 1024, + "type": "keyword" + }, + "trace": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "norms": false, + "type": "text" + } + } + } + } + }, + "offset": { + "type": "long" + }, + "partition": { + "type": "long" + }, + "topic": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kibana": { + "properties": { + "add_to_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delete_from_spaces": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "properties": { + "meta": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lookup_realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved_object": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "space_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes": { + "properties": { + "annotations": { + "properties": { + "*": { + "type": "object" + } + } + }, + "container": { + "properties": { + "image": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "deployment": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "properties": { + "*": { + "type": "object" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pod": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "replicaset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service": { + "properties": { + "selectors": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "statefulset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "offset": { + "type": "long" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "original": { + "ignore_above": 1024, + "index": false, + "type": "keyword" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "priority": { + "type": "long" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "logstash": { + "properties": { + "log": { + "properties": { + "log_event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "pipeline_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "event": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "plugin_params_object": { + "type": "object" + }, + "plugin_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "took_in_millis": { + "type": "long" + } + } + } + } + }, + "message": { + "norms": false, + "type": "text" + }, + "microsoft": { + "properties": { + "defender_atp": { + "properties": { + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "aadUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "type": "ip" + }, + "userPrincipalName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdateTime": { + "type": "date" + }, + "rbacGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "m365_defender": { + "properties": { + "alerts": { + "properties": { + "actorName": { + "ignore_above": 1024, + "type": "keyword" + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "creationTime": { + "type": "date" + }, + "detectionSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "devices": { + "type": "flattened" + }, + "entities": { + "properties": { + "accountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "clusterBy": { + "ignore_above": 1024, + "type": "keyword" + }, + "deliveryAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceId": { + "ignore_above": 1024, + "type": "keyword" + }, + "entityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailboxDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryHive": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "registryValueType": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "sender": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastUpdatedTime": { + "type": "date" + }, + "mitreTechniques": { + "ignore_above": 1024, + "type": "keyword" + }, + "resolvedTime": { + "type": "date" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatFamilyName": { + "ignore_above": 1024, + "type": "keyword" + }, + "userSid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "assignedTo": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "determination": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentName": { + "ignore_above": 1024, + "type": "keyword" + }, + "investigationState": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirectIncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "misp": { + "properties": { + "attack_pattern": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "campaign": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "objective": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "course_of_action": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "contact_information": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sectors": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "intrusion_set": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "first_seen": { + "type": "date" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + } + } + }, + "malware": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "note": { + "properties": { + "authors": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "ignore_above": 1024, + "type": "keyword" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "observed_data": { + "properties": { + "first_observed": { + "type": "date" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_observed": { + "type": "date" + }, + "number_observed": { + "type": "long" + }, + "objects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "report": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_refs": { + "norms": false, + "type": "text" + }, + "published": { + "type": "date" + } + } + }, + "threat_actor": { + "properties": { + "aliases": { + "norms": false, + "type": "text" + }, + "description": { + "norms": false, + "type": "text" + }, + "goals": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "personal_motivations": { + "norms": false, + "type": "text" + }, + "primary_motivation": { + "norms": false, + "type": "text" + }, + "resource_level": { + "norms": false, + "type": "text" + }, + "roles": { + "norms": false, + "type": "text" + }, + "secondary_motivations": { + "norms": false, + "type": "text" + }, + "sophistication": { + "norms": false, + "type": "text" + } + } + }, + "threat_indicator": { + "properties": { + "attack_pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_pattern_kql": { + "ignore_above": 1024, + "type": "keyword" + }, + "campaign": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "norms": false, + "type": "text" + }, + "feed": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "intrusion_set": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_tactic": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitre_technique": { + "ignore_above": 1024, + "type": "keyword" + }, + "negate": { + "type": "boolean" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_actor": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid_from": { + "type": "date" + }, + "valid_until": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kill_chain_phases": { + "norms": false, + "type": "text" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "description": { + "norms": false, + "type": "text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mongodb": { + "properties": { + "log": { + "properties": { + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mssql": { + "properties": { + "log": { + "properties": { + "origin": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "mysql": { + "properties": { + "slowlog": { + "properties": { + "bytes_received": { + "type": "long" + }, + "bytes_sent": { + "type": "long" + }, + "current_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesort": { + "type": "boolean" + }, + "filesort_on_disk": { + "type": "boolean" + }, + "full_join": { + "type": "boolean" + }, + "full_scan": { + "type": "boolean" + }, + "innodb": { + "properties": { + "io_r_bytes": { + "type": "long" + }, + "io_r_ops": { + "type": "long" + }, + "io_r_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "pages_distinct": { + "type": "long" + }, + "queue_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "rec_lock_wait": { + "properties": { + "sec": { + "type": "long" + } + } + }, + "trx_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "killed": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_errno": { + "ignore_above": 1024, + "type": "keyword" + }, + "lock_time": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "log_slow_rate_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_slow_rate_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "merge_passes": { + "type": "long" + }, + "priority_queue": { + "type": "boolean" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_cache_hit": { + "type": "boolean" + }, + "read_first": { + "type": "long" + }, + "read_key": { + "type": "long" + }, + "read_last": { + "type": "long" + }, + "read_next": { + "type": "long" + }, + "read_prev": { + "type": "long" + }, + "read_rnd": { + "type": "long" + }, + "read_rnd_next": { + "type": "long" + }, + "rows_affected": { + "type": "long" + }, + "rows_examined": { + "type": "long" + }, + "rows_sent": { + "type": "long" + }, + "schema": { + "ignore_above": 1024, + "type": "keyword" + }, + "sort_merge_passes": { + "type": "long" + }, + "sort_range_count": { + "type": "long" + }, + "sort_rows": { + "type": "long" + }, + "sort_scan_count": { + "type": "long" + }, + "tmp_disk_tables": { + "type": "long" + }, + "tmp_table": { + "type": "boolean" + }, + "tmp_table_on_disk": { + "type": "boolean" + }, + "tmp_table_sizes": { + "type": "long" + }, + "tmp_tables": { + "type": "long" + } + } + }, + "thread_id": { + "type": "long" + } + } + }, + "mysqlenterprise": { + "properties": { + "audit": { + "properties": { + "account": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_data": { + "properties": { + "connection_attributes": { + "type": "flattened" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "db": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "type": "long" + } + } + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "general_data": { + "properties": { + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "sql_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "login": { + "properties": { + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "shutdown_data": { + "properties": { + "server_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "startup_data": { + "properties": { + "mysql_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "table_access_data": { + "properties": { + "db": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "sql_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "table": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "nats": { + "properties": { + "log": { + "properties": { + "client": { + "properties": { + "id": { + "type": "long" + } + } + }, + "msg": { + "properties": { + "bytes": { + "type": "long" + }, + "error": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "max_messages": { + "type": "long" + }, + "queue_group": { + "norms": false, + "type": "text" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "type": "long" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "netflow": { + "properties": { + "absolute_error": { + "type": "double" + }, + "address_pool_high_threshold": { + "type": "long" + }, + "address_pool_low_threshold": { + "type": "long" + }, + "address_port_mapping_high_threshold": { + "type": "long" + }, + "address_port_mapping_low_threshold": { + "type": "long" + }, + "address_port_mapping_per_user_high_threshold": { + "type": "long" + }, + "anonymization_flags": { + "type": "long" + }, + "anonymization_technique": { + "type": "long" + }, + "application_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_group_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_id": { + "type": "short" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_sub_category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bgp_destination_as_number": { + "type": "long" + }, + "bgp_next_adjacent_as_number": { + "type": "long" + }, + "bgp_next_hop_ipv4_address": { + "type": "ip" + }, + "bgp_next_hop_ipv6_address": { + "type": "ip" + }, + "bgp_prev_adjacent_as_number": { + "type": "long" + }, + "bgp_source_as_number": { + "type": "long" + }, + "bgp_validity_state": { + "type": "short" + }, + "biflow_direction": { + "type": "short" + }, + "class_id": { + "type": "long" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_engine_id": { + "type": "short" + }, + "collection_time_milliseconds": { + "type": "date" + }, + "collector_certificate": { + "type": "short" + }, + "collector_ipv4_address": { + "type": "ip" + }, + "collector_ipv6_address": { + "type": "ip" + }, + "collector_transport_port": { + "type": "long" + }, + "common_properties_id": { + "type": "long" + }, + "confidence_level": { + "type": "double" + }, + "connection_sum_duration_seconds": { + "type": "long" + }, + "connection_transaction_id": { + "type": "long" + }, + "data_link_frame_section": { + "type": "short" + }, + "data_link_frame_size": { + "type": "long" + }, + "data_link_frame_type": { + "type": "long" + }, + "data_records_reliability": { + "type": "boolean" + }, + "delta_flow_count": { + "type": "long" + }, + "destination_ipv4_address": { + "type": "ip" + }, + "destination_ipv4_prefix": { + "type": "ip" + }, + "destination_ipv4_prefix_length": { + "type": "short" + }, + "destination_ipv6_address": { + "type": "ip" + }, + "destination_ipv6_prefix": { + "type": "ip" + }, + "destination_ipv6_prefix_length": { + "type": "short" + }, + "destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_transport_port": { + "type": "long" + }, + "digest_hash_value": { + "type": "long" + }, + "distinct_count_of_destination_ip_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv4_address": { + "type": "long" + }, + "distinct_count_of_destination_ipv6_address": { + "type": "long" + }, + "distinct_count_of_source_ip_address": { + "type": "long" + }, + "distinct_count_of_source_ipv4_address": { + "type": "long" + }, + "distinct_count_of_source_ipv6_address": { + "type": "long" + }, + "dot1q_customer_dei": { + "type": "boolean" + }, + "dot1q_customer_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_priority": { + "type": "short" + }, + "dot1q_customer_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "dot1q_customer_vlan_id": { + "type": "long" + }, + "dot1q_dei": { + "type": "boolean" + }, + "dot1q_priority": { + "type": "short" + }, + "dot1q_service_instance_id": { + "type": "long" + }, + "dot1q_service_instance_priority": { + "type": "short" + }, + "dot1q_service_instance_tag": { + "type": "short" + }, + "dot1q_vlan_id": { + "type": "long" + }, + "dropped_layer2_octet_delta_count": { + "type": "long" + }, + "dropped_layer2_octet_total_count": { + "type": "long" + }, + "dropped_octet_delta_count": { + "type": "long" + }, + "dropped_octet_total_count": { + "type": "long" + }, + "dropped_packet_delta_count": { + "type": "long" + }, + "dropped_packet_total_count": { + "type": "long" + }, + "dst_traffic_index": { + "type": "long" + }, + "egress_broadcast_packet_total_count": { + "type": "long" + }, + "egress_interface": { + "type": "long" + }, + "egress_interface_type": { + "type": "long" + }, + "egress_physical_interface": { + "type": "long" + }, + "egress_unicast_packet_total_count": { + "type": "long" + }, + "egress_vrfid": { + "type": "long" + }, + "encrypted_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_id": { + "type": "short" + }, + "engine_type": { + "type": "short" + }, + "ethernet_header_length": { + "type": "short" + }, + "ethernet_payload_length": { + "type": "long" + }, + "ethernet_total_length": { + "type": "long" + }, + "ethernet_type": { + "type": "long" + }, + "export_interface": { + "type": "long" + }, + "export_protocol_version": { + "type": "short" + }, + "export_sctp_stream_id": { + "type": "long" + }, + "export_transport_protocol": { + "type": "short" + }, + "exported_flow_record_total_count": { + "type": "long" + }, + "exported_message_total_count": { + "type": "long" + }, + "exported_octet_total_count": { + "type": "long" + }, + "exporter": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uptime_millis": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "exporter_certificate": { + "type": "short" + }, + "exporter_ipv4_address": { + "type": "ip" + }, + "exporter_ipv6_address": { + "type": "ip" + }, + "exporter_transport_port": { + "type": "long" + }, + "exporting_process_id": { + "type": "long" + }, + "external_address_realm": { + "type": "short" + }, + "firewall_event": { + "type": "short" + }, + "flags_and_sampler_id": { + "type": "long" + }, + "flow_active_timeout": { + "type": "long" + }, + "flow_direction": { + "type": "short" + }, + "flow_duration_microseconds": { + "type": "long" + }, + "flow_duration_milliseconds": { + "type": "long" + }, + "flow_end_delta_microseconds": { + "type": "long" + }, + "flow_end_microseconds": { + "type": "date" + }, + "flow_end_milliseconds": { + "type": "date" + }, + "flow_end_nanoseconds": { + "type": "date" + }, + "flow_end_reason": { + "type": "short" + }, + "flow_end_seconds": { + "type": "date" + }, + "flow_end_sys_up_time": { + "type": "long" + }, + "flow_id": { + "type": "long" + }, + "flow_idle_timeout": { + "type": "long" + }, + "flow_key_indicator": { + "type": "long" + }, + "flow_label_ipv6": { + "type": "long" + }, + "flow_sampling_time_interval": { + "type": "long" + }, + "flow_sampling_time_spacing": { + "type": "long" + }, + "flow_selected_flow_delta_count": { + "type": "long" + }, + "flow_selected_octet_delta_count": { + "type": "long" + }, + "flow_selected_packet_delta_count": { + "type": "long" + }, + "flow_selector_algorithm": { + "type": "long" + }, + "flow_start_delta_microseconds": { + "type": "long" + }, + "flow_start_microseconds": { + "type": "date" + }, + "flow_start_milliseconds": { + "type": "date" + }, + "flow_start_nanoseconds": { + "type": "date" + }, + "flow_start_seconds": { + "type": "date" + }, + "flow_start_sys_up_time": { + "type": "long" + }, + "forwarding_status": { + "type": "short" + }, + "fragment_flags": { + "type": "short" + }, + "fragment_identification": { + "type": "long" + }, + "fragment_offset": { + "type": "long" + }, + "global_address_mapping_high_threshold": { + "type": "long" + }, + "gre_key": { + "type": "long" + }, + "hash_digest_output": { + "type": "boolean" + }, + "hash_flow_domain": { + "type": "long" + }, + "hash_initialiser_value": { + "type": "long" + }, + "hash_ip_payload_offset": { + "type": "long" + }, + "hash_ip_payload_size": { + "type": "long" + }, + "hash_output_range_max": { + "type": "long" + }, + "hash_output_range_min": { + "type": "long" + }, + "hash_selected_range_max": { + "type": "long" + }, + "hash_selected_range_min": { + "type": "long" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_message_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_reason_phrase": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_request_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_code": { + "type": "long" + }, + "http_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code_ipv4": { + "type": "short" + }, + "icmp_code_ipv6": { + "type": "short" + }, + "icmp_type_code_ipv4": { + "type": "long" + }, + "icmp_type_code_ipv6": { + "type": "long" + }, + "icmp_type_ipv4": { + "type": "short" + }, + "icmp_type_ipv6": { + "type": "short" + }, + "igmp_type": { + "type": "short" + }, + "ignored_data_record_total_count": { + "type": "long" + }, + "ignored_layer2_frame_total_count": { + "type": "long" + }, + "ignored_layer2_octet_total_count": { + "type": "long" + }, + "ignored_octet_total_count": { + "type": "long" + }, + "ignored_packet_total_count": { + "type": "long" + }, + "information_element_data_type": { + "type": "short" + }, + "information_element_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_id": { + "type": "long" + }, + "information_element_index": { + "type": "long" + }, + "information_element_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "information_element_range_begin": { + "type": "long" + }, + "information_element_range_end": { + "type": "long" + }, + "information_element_semantics": { + "type": "short" + }, + "information_element_units": { + "type": "long" + }, + "ingress_broadcast_packet_total_count": { + "type": "long" + }, + "ingress_interface": { + "type": "long" + }, + "ingress_interface_type": { + "type": "long" + }, + "ingress_multicast_packet_total_count": { + "type": "long" + }, + "ingress_physical_interface": { + "type": "long" + }, + "ingress_unicast_packet_total_count": { + "type": "long" + }, + "ingress_vrfid": { + "type": "long" + }, + "initiator_octets": { + "type": "long" + }, + "initiator_packets": { + "type": "long" + }, + "interface_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "intermediate_process_id": { + "type": "long" + }, + "internal_address_realm": { + "type": "short" + }, + "ip_class_of_service": { + "type": "short" + }, + "ip_diff_serv_code_point": { + "type": "short" + }, + "ip_header_length": { + "type": "short" + }, + "ip_header_packet_section": { + "type": "short" + }, + "ip_next_hop_ipv4_address": { + "type": "ip" + }, + "ip_next_hop_ipv6_address": { + "type": "ip" + }, + "ip_payload_length": { + "type": "long" + }, + "ip_payload_packet_section": { + "type": "short" + }, + "ip_precedence": { + "type": "short" + }, + "ip_sec_spi": { + "type": "long" + }, + "ip_total_length": { + "type": "long" + }, + "ip_ttl": { + "type": "short" + }, + "ip_version": { + "type": "short" + }, + "ipv4_ihl": { + "type": "short" + }, + "ipv4_options": { + "type": "long" + }, + "ipv4_router_sc": { + "type": "ip" + }, + "ipv6_extension_headers": { + "type": "long" + }, + "is_multicast": { + "type": "short" + }, + "layer2_frame_delta_count": { + "type": "long" + }, + "layer2_frame_total_count": { + "type": "long" + }, + "layer2_octet_delta_count": { + "type": "long" + }, + "layer2_octet_delta_sum_of_squares": { + "type": "long" + }, + "layer2_octet_total_count": { + "type": "long" + }, + "layer2_octet_total_sum_of_squares": { + "type": "long" + }, + "layer2_segment_id": { + "type": "long" + }, + "layer2packet_section_data": { + "type": "short" + }, + "layer2packet_section_offset": { + "type": "long" + }, + "layer2packet_section_size": { + "type": "long" + }, + "line_card_id": { + "type": "long" + }, + "lower_ci_limit": { + "type": "double" + }, + "max_bib_entries": { + "type": "long" + }, + "max_entries_per_user": { + "type": "long" + }, + "max_export_seconds": { + "type": "date" + }, + "max_flow_end_microseconds": { + "type": "date" + }, + "max_flow_end_milliseconds": { + "type": "date" + }, + "max_flow_end_nanoseconds": { + "type": "date" + }, + "max_flow_end_seconds": { + "type": "date" + }, + "max_fragments_pending_reassembly": { + "type": "long" + }, + "max_session_entries": { + "type": "long" + }, + "max_subscribers": { + "type": "long" + }, + "maximum_ip_total_length": { + "type": "long" + }, + "maximum_layer2_total_length": { + "type": "long" + }, + "maximum_ttl": { + "type": "short" + }, + "message_md5_checksum": { + "type": "short" + }, + "message_scope": { + "type": "short" + }, + "metering_process_id": { + "type": "long" + }, + "metro_evc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "metro_evc_type": { + "type": "short" + }, + "mib_capture_time_semantics": { + "type": "short" + }, + "mib_context_engine_id": { + "type": "short" + }, + "mib_context_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_index_indicator": { + "type": "long" + }, + "mib_module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_identifier": { + "type": "short" + }, + "mib_object_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_syntax": { + "ignore_above": 1024, + "type": "keyword" + }, + "mib_object_value_bits": { + "type": "short" + }, + "mib_object_value_counter": { + "type": "long" + }, + "mib_object_value_gauge": { + "type": "long" + }, + "mib_object_value_integer": { + "type": "long" + }, + "mib_object_value_ip_address": { + "type": "ip" + }, + "mib_object_value_octet_string": { + "type": "short" + }, + "mib_object_value_oid": { + "type": "short" + }, + "mib_object_value_time_ticks": { + "type": "long" + }, + "mib_object_value_unsigned": { + "type": "long" + }, + "mib_sub_identifier": { + "type": "long" + }, + "min_export_seconds": { + "type": "date" + }, + "min_flow_start_microseconds": { + "type": "date" + }, + "min_flow_start_milliseconds": { + "type": "date" + }, + "min_flow_start_nanoseconds": { + "type": "date" + }, + "min_flow_start_seconds": { + "type": "date" + }, + "minimum_ip_total_length": { + "type": "long" + }, + "minimum_layer2_total_length": { + "type": "long" + }, + "minimum_ttl": { + "type": "short" + }, + "mobile_imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_msisdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "monitoring_interval_end_milli_seconds": { + "type": "date" + }, + "monitoring_interval_start_milli_seconds": { + "type": "date" + }, + "mpls_label_stack_depth": { + "type": "long" + }, + "mpls_label_stack_length": { + "type": "long" + }, + "mpls_label_stack_section": { + "type": "short" + }, + "mpls_label_stack_section10": { + "type": "short" + }, + "mpls_label_stack_section2": { + "type": "short" + }, + "mpls_label_stack_section3": { + "type": "short" + }, + "mpls_label_stack_section4": { + "type": "short" + }, + "mpls_label_stack_section5": { + "type": "short" + }, + "mpls_label_stack_section6": { + "type": "short" + }, + "mpls_label_stack_section7": { + "type": "short" + }, + "mpls_label_stack_section8": { + "type": "short" + }, + "mpls_label_stack_section9": { + "type": "short" + }, + "mpls_payload_length": { + "type": "long" + }, + "mpls_payload_packet_section": { + "type": "short" + }, + "mpls_top_label_exp": { + "type": "short" + }, + "mpls_top_label_ipv4_address": { + "type": "ip" + }, + "mpls_top_label_ipv6_address": { + "type": "ip" + }, + "mpls_top_label_prefix_length": { + "type": "short" + }, + "mpls_top_label_stack_section": { + "type": "short" + }, + "mpls_top_label_ttl": { + "type": "short" + }, + "mpls_top_label_type": { + "type": "short" + }, + "mpls_vpn_route_distinguisher": { + "type": "short" + }, + "multicast_replication_factor": { + "type": "long" + }, + "nat_event": { + "type": "short" + }, + "nat_instance_id": { + "type": "long" + }, + "nat_originating_address_realm": { + "type": "short" + }, + "nat_pool_id": { + "type": "long" + }, + "nat_pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_quota_exceeded_event": { + "type": "long" + }, + "nat_threshold_event": { + "type": "long" + }, + "nat_type": { + "type": "short" + }, + "new_connection_delta_count": { + "type": "long" + }, + "next_header_ipv6": { + "type": "short" + }, + "not_sent_flow_total_count": { + "type": "long" + }, + "not_sent_layer2_octet_total_count": { + "type": "long" + }, + "not_sent_octet_total_count": { + "type": "long" + }, + "not_sent_packet_total_count": { + "type": "long" + }, + "observation_domain_id": { + "type": "long" + }, + "observation_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observation_point_id": { + "type": "long" + }, + "observation_point_type": { + "type": "short" + }, + "observation_time_microseconds": { + "type": "date" + }, + "observation_time_milliseconds": { + "type": "date" + }, + "observation_time_nanoseconds": { + "type": "date" + }, + "observation_time_seconds": { + "type": "date" + }, + "observed_flow_total_count": { + "type": "long" + }, + "octet_delta_count": { + "type": "long" + }, + "octet_delta_sum_of_squares": { + "type": "long" + }, + "octet_total_count": { + "type": "long" + }, + "octet_total_sum_of_squares": { + "type": "long" + }, + "opaque_octets": { + "type": "short" + }, + "original_exporter_ipv4_address": { + "type": "ip" + }, + "original_exporter_ipv6_address": { + "type": "ip" + }, + "original_flows_completed": { + "type": "long" + }, + "original_flows_initiated": { + "type": "long" + }, + "original_flows_present": { + "type": "long" + }, + "original_observation_domain_id": { + "type": "long" + }, + "p2p_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_delta_count": { + "type": "long" + }, + "packet_total_count": { + "type": "long" + }, + "padding_octets": { + "type": "short" + }, + "payload_length_ipv6": { + "type": "long" + }, + "port_id": { + "type": "long" + }, + "port_range_end": { + "type": "long" + }, + "port_range_num_ports": { + "type": "long" + }, + "port_range_start": { + "type": "long" + }, + "port_range_step_size": { + "type": "long" + }, + "post_destination_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_dot1q_customer_vlan_id": { + "type": "long" + }, + "post_dot1q_vlan_id": { + "type": "long" + }, + "post_ip_class_of_service": { + "type": "short" + }, + "post_ip_diff_serv_code_point": { + "type": "short" + }, + "post_ip_precedence": { + "type": "short" + }, + "post_layer2_octet_delta_count": { + "type": "long" + }, + "post_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_layer2_octet_delta_count": { + "type": "long" + }, + "post_mcast_layer2_octet_total_count": { + "type": "long" + }, + "post_mcast_octet_delta_count": { + "type": "long" + }, + "post_mcast_octet_total_count": { + "type": "long" + }, + "post_mcast_packet_delta_count": { + "type": "long" + }, + "post_mcast_packet_total_count": { + "type": "long" + }, + "post_mpls_top_label_exp": { + "type": "short" + }, + "post_napt_destination_transport_port": { + "type": "long" + }, + "post_napt_source_transport_port": { + "type": "long" + }, + "post_nat_destination_ipv4_address": { + "type": "ip" + }, + "post_nat_destination_ipv6_address": { + "type": "ip" + }, + "post_nat_source_ipv4_address": { + "type": "ip" + }, + "post_nat_source_ipv6_address": { + "type": "ip" + }, + "post_octet_delta_count": { + "type": "long" + }, + "post_octet_total_count": { + "type": "long" + }, + "post_packet_delta_count": { + "type": "long" + }, + "post_packet_total_count": { + "type": "long" + }, + "post_source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "post_vlan_id": { + "type": "long" + }, + "private_enterprise_number": { + "type": "long" + }, + "protocol_identifier": { + "type": "short" + }, + "pseudo_wire_control_word": { + "type": "long" + }, + "pseudo_wire_destination_ipv4_address": { + "type": "ip" + }, + "pseudo_wire_id": { + "type": "long" + }, + "pseudo_wire_type": { + "type": "long" + }, + "relative_error": { + "type": "double" + }, + "responder_octets": { + "type": "long" + }, + "responder_packets": { + "type": "long" + }, + "rfc3550_jitter_microseconds": { + "type": "long" + }, + "rfc3550_jitter_milliseconds": { + "type": "long" + }, + "rfc3550_jitter_nanoseconds": { + "type": "long" + }, + "rtp_sequence_number": { + "type": "long" + }, + "sampler_id": { + "type": "short" + }, + "sampler_mode": { + "type": "short" + }, + "sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sampler_random_interval": { + "type": "long" + }, + "sampling_algorithm": { + "type": "short" + }, + "sampling_flow_interval": { + "type": "long" + }, + "sampling_flow_spacing": { + "type": "long" + }, + "sampling_interval": { + "type": "long" + }, + "sampling_packet_interval": { + "type": "long" + }, + "sampling_packet_space": { + "type": "long" + }, + "sampling_population": { + "type": "long" + }, + "sampling_probability": { + "type": "double" + }, + "sampling_size": { + "type": "long" + }, + "sampling_time_interval": { + "type": "long" + }, + "sampling_time_space": { + "type": "long" + }, + "section_exported_octets": { + "type": "long" + }, + "section_offset": { + "type": "long" + }, + "selection_sequence_id": { + "type": "long" + }, + "selector_algorithm": { + "type": "long" + }, + "selector_id": { + "type": "long" + }, + "selector_id_total_flows_observed": { + "type": "long" + }, + "selector_id_total_flows_selected": { + "type": "long" + }, + "selector_id_total_pkts_observed": { + "type": "long" + }, + "selector_id_total_pkts_selected": { + "type": "long" + }, + "selector_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_scope": { + "type": "short" + }, + "source_ipv4_address": { + "type": "ip" + }, + "source_ipv4_prefix": { + "type": "ip" + }, + "source_ipv4_prefix_length": { + "type": "short" + }, + "source_ipv6_address": { + "type": "ip" + }, + "source_ipv6_prefix": { + "type": "ip" + }, + "source_ipv6_prefix_length": { + "type": "short" + }, + "source_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_transport_port": { + "type": "long" + }, + "source_transport_ports_limit": { + "type": "long" + }, + "src_traffic_index": { + "type": "long" + }, + "sta_ipv4_address": { + "type": "ip" + }, + "sta_mac_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_init_time_milliseconds": { + "type": "date" + }, + "tcp_ack_total_count": { + "type": "long" + }, + "tcp_acknowledgement_number": { + "type": "long" + }, + "tcp_control_bits": { + "type": "long" + }, + "tcp_destination_port": { + "type": "long" + }, + "tcp_fin_total_count": { + "type": "long" + }, + "tcp_header_length": { + "type": "short" + }, + "tcp_options": { + "type": "long" + }, + "tcp_psh_total_count": { + "type": "long" + }, + "tcp_rst_total_count": { + "type": "long" + }, + "tcp_sequence_number": { + "type": "long" + }, + "tcp_source_port": { + "type": "long" + }, + "tcp_syn_total_count": { + "type": "long" + }, + "tcp_urg_total_count": { + "type": "long" + }, + "tcp_urgent_pointer": { + "type": "long" + }, + "tcp_window_scale": { + "type": "long" + }, + "tcp_window_size": { + "type": "long" + }, + "template_id": { + "type": "long" + }, + "total_length_ipv4": { + "type": "long" + }, + "transport_octet_delta_count": { + "type": "long" + }, + "transport_packet_delta_count": { + "type": "long" + }, + "tunnel_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "udp_destination_port": { + "type": "long" + }, + "udp_message_length": { + "type": "long" + }, + "udp_source_port": { + "type": "long" + }, + "upper_ci_limit": { + "type": "double" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value_distribution_method": { + "type": "short" + }, + "virtual_station_interface_id": { + "type": "short" + }, + "virtual_station_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_station_uuid": { + "type": "short" + }, + "vlan_id": { + "type": "long" + }, + "vpn_identifier": { + "type": "short" + }, + "vr_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel_id": { + "type": "short" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wtp_mac_address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "interface": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "nginx": { + "properties": { + "error": { + "properties": { + "connection_id": { + "type": "long" + } + } + }, + "ingress_controller": { + "properties": { + "http": { + "properties": { + "request": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "time": { + "type": "double" + } + } + } + } + }, + "upstream": { + "properties": { + "alternative_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "response": { + "properties": { + "length": { + "type": "long" + }, + "length_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + }, + "status_code_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "double" + }, + "time_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "upstream_address_list": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "o365": { + "properties": { + "audit": { + "properties": { + "AADGroupId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorIpAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ActorYammerUserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertEntityId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AlertType": { + "ignore_above": 1024, + "type": "keyword" + }, + "AppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationDisplayName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ApplicationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "AzureActiveDirectoryEventType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientAppId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientIPAddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ClientInfoString": { + "ignore_above": 1024, + "type": "keyword" + }, + "Comments": { + "norms": false, + "type": "text" + }, + "CommunicationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "CorrelationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "CreationTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "CustomUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Data": { + "ignore_above": 1024, + "type": "keyword" + }, + "DataType": { + "ignore_above": 1024, + "type": "keyword" + }, + "DoNotDistributeEvent": { + "type": "boolean" + }, + "EntityType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ErrorNumber": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventData": { + "ignore_above": 1024, + "type": "keyword" + }, + "EventSource": { + "ignore_above": 1024, + "type": "keyword" + }, + "ExceptionInfo": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExchangeMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExtendedProperties": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ExternalAccess": { + "ignore_above": 1024, + "type": "keyword" + }, + "FromApp": { + "type": "boolean" + }, + "GroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "Id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImplicitShare": { + "ignore_above": 1024, + "type": "keyword" + }, + "IncidentId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InterSystemsId": { + "ignore_above": 1024, + "type": "keyword" + }, + "InternalLogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "IntraSystemId": { + "ignore_above": 1024, + "type": "keyword" + }, + "IsDocLib": { + "type": "boolean" + }, + "Item": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "ItemCount": { + "type": "long" + }, + "ItemName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ItemType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseTemplateType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListBaseType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListColor": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListIcon": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListItemUniqueId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ListTitle": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonError": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerMasterAccountSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "MailboxOwnerUPN": { + "ignore_above": 1024, + "type": "keyword" + }, + "Members": { + "properties": { + "*": { + "type": "object" + } + } + }, + "ModifiedProperties": { + "properties": { + "*": { + "properties": { + "*": { + "type": "object" + } + } + } + } + }, + "Name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ObjectId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "OrganizationName": { + "ignore_above": 1024, + "type": "keyword" + }, + "OriginatingServer": { + "ignore_above": 1024, + "type": "keyword" + }, + "Parameters": { + "properties": { + "*": { + "type": "object" + } + } + }, + "PolicyId": { + "ignore_above": 1024, + "type": "keyword" + }, + "RecordType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ResultStatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "SensitiveInfoDetectionIsIncluded": { + "ignore_above": 1024, + "type": "keyword" + }, + "SessionId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "SharePointMetaData": { + "properties": { + "*": { + "type": "object" + } + } + }, + "Site": { + "ignore_above": 1024, + "type": "keyword" + }, + "SiteUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Source": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileExtension": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceFileName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SourceRelativeUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "Status": { + "ignore_above": 1024, + "type": "keyword" + }, + "SupportTicketId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetContextId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserOrGroupType": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TeamName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TemplateTypeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UniqueSharingId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserAgent": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserId": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserKey": { + "ignore_above": 1024, + "type": "keyword" + }, + "UserType": { + "ignore_above": 1024, + "type": "keyword" + }, + "Version": { + "ignore_above": 1024, + "type": "keyword" + }, + "WebId": { + "ignore_above": 1024, + "type": "keyword" + }, + "Workload": { + "ignore_above": 1024, + "type": "keyword" + }, + "YammerNetworkId": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "object_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "okta": { + "properties": { + "actor": { + "properties": { + "alternate_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authentication_context": { + "properties": { + "authentication_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_step": { + "type": "long" + }, + "credential_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "credential_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "external_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user_agent": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "debug_context": { + "properties": { + "debug_data": { + "properties": { + "device_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_suspected": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "display_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "outcome": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "ip_chain": { + "properties": { + "geographical_context": { + "properties": { + "city": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "geolocation": { + "type": "geo_point" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "security_context": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_proxy": { + "type": "boolean" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "oracle": { + "properties": { + "database_audit": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "terminal": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "database": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "entry": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "length": { + "type": "long" + }, + "privilege": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "osquery": { + "properties": { + "result": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "calendar_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "unix_time": { + "type": "long" + } + } + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "panw": { + "properties": { + "panos": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination": { + "properties": { + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "endreason": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "nat": { + "properties": { + "community_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pcap_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence_number": { + "type": "long" + }, + "source": { + "properties": { + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sub_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pensando": { + "properties": { + "dfw": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "destination_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_port": { + "type": "long" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "type": "long" + }, + "session_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_port": { + "type": "long" + }, + "timestamp": { + "type": "date" + } + } + } + } + }, + "postgresql": { + "properties": { + "log": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + }, + "core_id": { + "path": "postgresql.log.session_line_number", + "type": "alias" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "path": "postgresql.log.sql_state_code", + "type": "alias" + } + } + }, + "hint": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "internal_query_pos": { + "type": "long" + }, + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query_pos": { + "type": "long" + }, + "query_step": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_line_number": { + "type": "long" + }, + "session_start_time": { + "type": "date" + }, + "sql_state_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_id": { + "type": "long" + }, + "virtual_transaction_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "ppid": { + "type": "long" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "type": "date" + }, + "thread": { + "properties": { + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rabbitmq": { + "properties": { + "log": { + "properties": { + "pid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "redis": { + "properties": { + "log": { + "properties": { + "role": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slowlog": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "properties": { + "us": { + "type": "long" + } + } + }, + "id": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rsa": { + "properties": { + "counters": { + "properties": { + "dclass_c1": { + "type": "long" + }, + "dclass_c1_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_c2": { + "type": "long" + }, + "dclass_c2_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_c3": { + "type": "long" + }, + "dclass_c3_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r1": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r1_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r2": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r2_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r3": { + "ignore_above": 1024, + "type": "keyword" + }, + "dclass_r3_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_counter": { + "type": "long" + } + } + }, + "crypto": { + "properties": { + "cert_ca": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_common": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_host_cat": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_keysize": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "cipher_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "cipher_size_dst": { + "type": "long" + }, + "cipher_size_src": { + "type": "long" + }, + "cipher_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "crypto": { + "ignore_above": 1024, + "type": "keyword" + }, + "d_certauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_insact": { + "ignore_above": 1024, + "type": "keyword" + }, + "https_valid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_cookie1": { + "ignore_above": 1024, + "type": "keyword" + }, + "ike_cookie2": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "s_certauth": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_ver_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_ver_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "db": { + "properties": { + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "db_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "db_pid": { + "type": "long" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "ignore_above": 1024, + "type": "keyword" + }, + "lread": { + "type": "long" + }, + "lwrite": { + "type": "long" + }, + "permissions": { + "ignore_above": 1024, + "type": "keyword" + }, + "pread": { + "type": "long" + }, + "table_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "transact_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "endpoint": { + "properties": { + "host_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry_value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "attachment": { + "ignore_above": 1024, + "type": "keyword" + }, + "binary": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_entropy": { + "type": "double" + }, + "file_vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "filename_tmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "ignore_above": 1024, + "type": "keyword" + }, + "task_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "healthcare": { + "properties": { + "patient_fname": { + "ignore_above": 1024, + "type": "keyword" + }, + "patient_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "patient_lname": { + "ignore_above": 1024, + "type": "keyword" + }, + "patient_mname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "accesses": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "dn_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "dn_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "federated_idp": { + "ignore_above": 1024, + "type": "keyword" + }, + "federated_sp": { + "ignore_above": 1024, + "type": "keyword" + }, + "firstname": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "lastname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ldap": { + "ignore_above": 1024, + "type": "keyword" + }, + "ldap_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "ldap_response": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "logon_type_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "middlename": { + "ignore_above": 1024, + "type": "keyword" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "realm": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_account": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_dept": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_sid_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_sid_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "internal": { + "properties": { + "audit_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "cid": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "dead": { + "type": "long" + }, + "device_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_ip": { + "type": "ip" + }, + "device_ipv6": { + "type": "ip" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type_id": { + "type": "long" + }, + "did": { + "ignore_above": 1024, + "type": "keyword" + }, + "entropy_req": { + "type": "long" + }, + "entropy_res": { + "type": "long" + }, + "entry": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "feed_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "feed_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "feed_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "forward_ip": { + "type": "ip" + }, + "forward_ipv6": { + "type": "ip" + }, + "hcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "header_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "type": "long" + }, + "lc_cid": { + "ignore_above": 1024, + "type": "keyword" + }, + "lc_ctime": { + "type": "date" + }, + "level": { + "type": "long" + }, + "mcb_req": { + "type": "long" + }, + "mcb_res": { + "type": "long" + }, + "mcbc_req": { + "type": "long" + }, + "mcbc_res": { + "type": "long" + }, + "medium": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "messageid": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_vid": { + "ignore_above": 1024, + "type": "keyword" + }, + "node_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nwe_callback_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "parse_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "payload_req": { + "type": "long" + }, + "payload_res": { + "type": "long" + }, + "process_vid_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_vid_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "rid": { + "type": "long" + }, + "session_split": { + "ignore_above": 1024, + "type": "keyword" + }, + "site": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "sourcefile": { + "ignore_above": 1024, + "type": "keyword" + }, + "statement": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + }, + "ubc_req": { + "type": "long" + }, + "ubc_res": { + "type": "long" + }, + "word": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "investigations": { + "properties": { + "analysis_file": { + "ignore_above": 1024, + "type": "keyword" + }, + "analysis_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "analysis_session": { + "ignore_above": 1024, + "type": "keyword" + }, + "boc": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ec_theme": { + "ignore_above": 1024, + "type": "keyword" + }, + "eoc": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_cat": { + "type": "long" + }, + "event_cat_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_vcat": { + "ignore_above": 1024, + "type": "keyword" + }, + "inv_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "inv_context": { + "ignore_above": 1024, + "type": "keyword" + }, + "ioc": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "misc": { + "properties": { + "OS": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_op": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_pos": { + "ignore_above": 1024, + "type": "keyword" + }, + "acl_table": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "admin": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarm_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "alarmname": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "auditdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "autorun_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "benchmark": { + "ignore_above": 1024, + "type": "keyword" + }, + "bypass": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache_hit": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cc_number": { + "type": "long" + }, + "cefversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfg_attr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfg_obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfg_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_attrib": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_new": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_old": { + "ignore_above": 1024, + "type": "keyword" + }, + "changes": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "clustermembers": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_acttimeout": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_asn_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_bgpv4nxthop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_ctr_dst_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_dst_tos": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_dst_vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_engine_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_engine_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_f_switch": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_flowsampid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_flowsampintv": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_flowsampmode": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_inacttimeout": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_inpermbyts": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_inpermpckts": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_invalid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_ip_proto_ver": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_ipv4_ident": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_l_switch": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_log_did": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_log_rid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_max_ttl": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_maxpcktlen": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_min_ttl": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_minpcktlen": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_1": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_10": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_2": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_3": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_4": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_5": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_6": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_7": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_8": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mpls_lbl_9": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mplstoplabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mplstoplabip": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mul_dst_byt": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_mul_dst_pks": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_muligmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_sampalgo": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_sampint": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_seqctr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_spackets": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_src_tos": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_src_vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_sysuptime": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_template_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_totbytsexp": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_totflowexp": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_totpcktsexp": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_unixnanosecs": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_v6flowlabel": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_v6optheaders": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "comments": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_rbytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_sbytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "comp_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "type": "long" + }, + "cpu_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "criticality": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_agency_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_analyzedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_av_other": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_av_primary": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_av_secondary": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_bgpv6nxthop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_bit9status": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_context": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_datecret": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_dst_tld": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_eth_dst_ven": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_eth_src_ven": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_event_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_filetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_if_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_if_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_ip_next_hop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_ipv4dstpre": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_ipv4srcpre": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_lifetime": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_log_medium": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_loginname": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_modulescore": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_modulesign": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_opswatresult": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_payload": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_registrant": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_registrar": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_represult": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_rpayload": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_sampler_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_sourcemodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_streams": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_targetmodule": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_v6nxthop": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_whois_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_yararesult": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "devvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "distance": { + "ignore_above": 1024, + "type": "keyword" + }, + "doc_number": { + "type": "long" + }, + "dstburb": { + "ignore_above": 1024, + "type": "keyword" + }, + "edomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "edomaub": { + "ignore_above": 1024, + "type": "keyword" + }, + "ein_number": { + "type": "long" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "euid": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_computer": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_log": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "expected_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "facilityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "fcatnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "finterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "forensic_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "found": { + "ignore_above": 1024, + "type": "keyword" + }, + "fresult": { + "type": "long" + }, + "gaddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "hardware_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id3": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_buddyid": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_buddyname": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_croomid": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_croomtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_members": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_userid": { + "ignore_above": 1024, + "type": "keyword" + }, + "im_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "inout": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipkt": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipscat": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipspri": { + "ignore_above": 1024, + "type": "keyword" + }, + "job_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "jobname": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "latitude": { + "ignore_above": 1024, + "type": "keyword" + }, + "library": { + "ignore_above": 1024, + "type": "keyword" + }, + "lifetime": { + "type": "long" + }, + "linenum": { + "ignore_above": 1024, + "type": "keyword" + }, + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "list_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "listnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "load_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "location_floor": { + "ignore_above": 1024, + "type": "keyword" + }, + "location_mark": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_session_id1": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "ignore_above": 1024, + "type": "keyword" + }, + "logip": { + "ignore_above": 1024, + "type": "keyword" + }, + "logname": { + "ignore_above": 1024, + "type": "keyword" + }, + "longitude": { + "ignore_above": 1024, + "type": "keyword" + }, + "lport": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "match": { + "ignore_above": 1024, + "type": "keyword" + }, + "mbug_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_body": { + "ignore_above": 1024, + "type": "keyword" + }, + "misc": { + "ignore_above": 1024, + "type": "keyword" + }, + "misc_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart1": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart2": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart3": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgIdPart4": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netsessid": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntype": { + "ignore_above": 1024, + "type": "keyword" + }, + "num": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + }, + "number1": { + "ignore_above": 1024, + "type": "keyword" + }, + "number2": { + "ignore_above": 1024, + "type": "keyword" + }, + "nwwn": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + }, + "observed_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "opkt": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_group_object": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_msgid1": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_msgid2": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_result1": { + "ignore_above": 1024, + "type": "keyword" + }, + "param": { + "ignore_above": 1024, + "type": "keyword" + }, + "param_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "param_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_node": { + "ignore_above": 1024, + "type": "keyword" + }, + "password_chg": { + "ignore_above": 1024, + "type": "keyword" + }, + "password_expire": { + "ignore_above": 1024, + "type": "keyword" + }, + "payload_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "payload_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "permgranted": { + "ignore_above": 1024, + "type": "keyword" + }, + "permwanted": { + "ignore_above": 1024, + "type": "keyword" + }, + "pgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "ignore_above": 1024, + "type": "keyword" + }, + "policyUUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_waiver": { + "ignore_above": 1024, + "type": "keyword" + }, + "pool_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_id_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "prog_asp_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "program": { + "ignore_above": 1024, + "type": "keyword" + }, + "real_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "rec_asp_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "rec_asp_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "rec_library": { + "ignore_above": 1024, + "type": "keyword" + }, + "recordnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference_id1": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference_id2": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_num": { + "type": "double" + }, + "risk_num_comm": { + "type": "double" + }, + "risk_num_next": { + "type": "double" + }, + "risk_num_sand": { + "type": "double" + }, + "risk_num_static": { + "type": "double" + }, + "risk_suspicious": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_warning": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_template": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sburb": { + "ignore_above": 1024, + "type": "keyword" + }, + "sdomain_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "search_text": { + "ignore_above": 1024, + "type": "keyword" + }, + "sec": { + "ignore_above": 1024, + "type": "keyword" + }, + "second": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensor": { + "ignore_above": 1024, + "type": "keyword" + }, + "sensorname": { + "ignore_above": 1024, + "type": "keyword" + }, + "seqnum": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "session": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sigUUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "type": "long" + }, + "sig_id1": { + "type": "long" + }, + "sig_id_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sigcat": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmp_oid": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmp_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "space": { + "ignore_above": 1024, + "type": "keyword" + }, + "space1": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "spi_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "sql": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcburb": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcdom": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status1": { + "ignore_above": 1024, + "type": "keyword" + }, + "streams": { + "type": "long" + }, + "subcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "svcno": { + "ignore_above": 1024, + "type": "keyword" + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "tbdstr1": { + "ignore_above": 1024, + "type": "keyword" + }, + "tbdstr2": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "type": "long" + }, + "terminal": { + "ignore_above": 1024, + "type": "keyword" + }, + "tgtdom": { + "ignore_above": 1024, + "type": "keyword" + }, + "tgtdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "threshold": { + "ignore_above": 1024, + "type": "keyword" + }, + "tos": { + "type": "long" + }, + "trigger_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger_val": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type1": { + "ignore_above": 1024, + "type": "keyword" + }, + "udb_class": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_div": { + "ignore_above": 1024, + "type": "keyword" + }, + "userid": { + "ignore_above": 1024, + "type": "keyword" + }, + "username_fld": { + "ignore_above": 1024, + "type": "keyword" + }, + "utcstamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "v_instafname": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "virt_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusname": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpnid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vsys": { + "ignore_above": 1024, + "type": "keyword" + }, + "vuln_ref": { + "ignore_above": 1024, + "type": "keyword" + }, + "workspace": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network": { + "properties": { + "ad_computer_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "alias_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "dinterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "dmask": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_a_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_cname_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_opcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_ptr_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain1": { + "ignore_above": 1024, + "type": "keyword" + }, + "eth_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "eth_type": { + "type": "long" + }, + "faddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "fhost": { + "ignore_above": 1024, + "type": "keyword" + }, + "fport": { + "ignore_above": 1024, + "type": "keyword" + }, + "gateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_proto": { + "type": "long" + }, + "laddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "lhost": { + "ignore_above": 1024, + "type": "keyword" + }, + "linterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "mask": { + "ignore_above": 1024, + "type": "keyword" + }, + "netname": { + "ignore_above": 1024, + "type": "keyword" + }, + "network_port": { + "type": "long" + }, + "network_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "paddr": { + "type": "ip" + }, + "phost": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "protocol_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_domain_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpayload": { + "ignore_above": 1024, + "type": "keyword" + }, + "sinterface": { + "ignore_above": 1024, + "type": "keyword" + }, + "smask": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + }, + "vlan_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "physical": { + "properties": { + "org_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_src": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "storage": { + "properties": { + "disk_volume": { + "ignore_above": 1024, + "type": "keyword" + }, + "lun": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwwn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "time": { + "properties": { + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "datetime": { + "ignore_above": 1024, + "type": "keyword" + }, + "day": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration_time": { + "type": "double" + }, + "effective_time": { + "type": "date" + }, + "endtime": { + "type": "date" + }, + "event_queue_time": { + "type": "date" + }, + "event_time": { + "type": "date" + }, + "event_time_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "expire_time": { + "type": "date" + }, + "expire_time_str": { + "ignore_above": 1024, + "type": "keyword" + }, + "gmtdate": { + "ignore_above": 1024, + "type": "keyword" + }, + "gmttime": { + "ignore_above": 1024, + "type": "keyword" + }, + "hour": { + "ignore_above": 1024, + "type": "keyword" + }, + "min": { + "ignore_above": 1024, + "type": "keyword" + }, + "month": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_date": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_month": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_time1": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_time2": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_year": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "recorded_time": { + "type": "date" + }, + "stamp": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "tzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "year": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "web": { + "properties": { + "alias_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_asn_dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "cn_rpackets": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_web_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_web_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "p_web_referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "reputation_num": { + "type": "double" + }, + "urlpage": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlroot": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_extension_tmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_page": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_page": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_ref_root": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wireless": { + "properties": { + "access_point": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_channel": { + "type": "long" + }, + "wlan_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "wlan_ssid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "santa": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decision": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "properties": { + "bsdname": { + "ignore_above": 1024, + "type": "keyword" + }, + "bus": { + "ignore_above": 1024, + "type": "keyword" + }, + "fs": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "volume": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snyk": { + "properties": { + "audit": { + "properties": { + "content": { + "type": "flattened" + }, + "org_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "project_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "projects": { + "type": "flattened" + }, + "related": { + "properties": { + "projects": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerabilities": { + "properties": { + "credit": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss3": { + "ignore_above": 1024, + "type": "keyword" + }, + "disclosure_time": { + "type": "date" + }, + "exploit_maturity": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifiers": { + "properties": { + "alternative": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "introduced_date": { + "type": "date" + }, + "is_fixed": { + "type": "boolean" + }, + "is_ignored": { + "type": "boolean" + }, + "is_patchable": { + "type": "boolean" + }, + "is_patched": { + "type": "boolean" + }, + "is_pinnable": { + "type": "boolean" + }, + "is_upgradable": { + "type": "boolean" + }, + "jira_issue_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_severity": { + "type": "long" + }, + "package": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_manager": { + "ignore_above": 1024, + "type": "keyword" + }, + "patches": { + "type": "flattened" + }, + "priority_score": { + "type": "long" + }, + "publication_time": { + "type": "date" + }, + "reachability": { + "ignore_above": 1024, + "type": "keyword" + }, + "semver": { + "type": "flattened" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_severities_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "sophos": { + "properties": { + "xg": { + "properties": { + "Configuration": { + "type": "float" + }, + "FTP_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "FTP_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "Mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "PHPSESSID": { + "ignore_above": 1024, + "type": "keyword" + }, + "Reports": { + "type": "float" + }, + "Signature": { + "type": "float" + }, + "SysLog_SERVER_NAME": { + "ignore_above": 1024, + "type": "keyword" + }, + "Temp": { + "type": "float" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activityname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_is_cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "appfilter_policy_id": { + "type": "long" + }, + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_filter_policy": { + "type": "long" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_risk": { + "ignore_above": 1024, + "type": "keyword" + }, + "application_technology": { + "ignore_above": 1024, + "type": "keyword" + }, + "appresolvedby": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_mechanism": { + "ignore_above": 1024, + "type": "keyword" + }, + "av_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "backup_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "branch_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "category_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_physical_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "clients_conn_ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "collisions": { + "type": "long" + }, + "con_id": { + "type": "long" + }, + "conn_id": { + "type": "long" + }, + "connectionname": { + "ignore_above": 1024, + "type": "keyword" + }, + "connectiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "connevent": { + "ignore_above": 1024, + "type": "keyword" + }, + "connid": { + "ignore_above": 1024, + "type": "keyword" + }, + "contenttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_match": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "destinationip": { + "type": "ip" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dictionary_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dir_disp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "download_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_ip": { + "type": "ip" + }, + "dst_port": { + "type": "long" + }, + "dstdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstzonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "email_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ep_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventid": { + "ignore_above": 1024, + "type": "keyword" + }, + "eventtime": { + "type": "date" + }, + "eventtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "exceptions": { + "ignore_above": 1024, + "type": "keyword" + }, + "execution_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "extra": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "filepath": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesize": { + "type": "long" + }, + "free": { + "type": "long" + }, + "from_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftpcommand": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_rule_id": { + "type": "long" + }, + "hb_health": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpresponsecode": { + "type": "long" + }, + "iap": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "idle_cpu": { + "type": "float" + }, + "idp_policy_id": { + "type": "long" + }, + "idp_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipaddress": { + "ignore_above": 1024, + "type": "keyword" + }, + "ips_policy_id": { + "type": "long" + }, + "localgateway": { + "ignore_above": 1024, + "type": "keyword" + }, + "localnetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_component": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mailsize": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "newversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "out_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_authorizer": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "override_token": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine": { + "ignore_above": 1024, + "type": "keyword" + }, + "quarantine_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "querystring": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "received_pkts": { + "type": "long" + }, + "receiveddrops": { + "type": "long" + }, + "receivederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "receivedkbits": { + "type": "long" + }, + "recv_bytes": { + "type": "long" + }, + "red_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "remotenetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "responsetime": { + "type": "long" + }, + "rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "sent_bytes": { + "type": "long" + }, + "sent_pkts": { + "type": "long" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1sum": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceip": { + "type": "ip" + }, + "spamaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_domainname": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_ip": { + "type": "ip" + }, + "src_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_port": { + "type": "long" + }, + "srczone": { + "ignore_above": 1024, + "type": "keyword" + }, + "srczonetype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "starttime": { + "type": "date" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_cpu": { + "type": "float" + }, + "target": { + "ignore_above": 1024, + "type": "keyword" + }, + "threatname": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_email_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_memory": { + "type": "long" + }, + "trans_dst_ip": { + "type": "ip" + }, + "trans_dst_port": { + "type": "long" + }, + "trans_src_ ip": { + "type": "ip" + }, + "trans_src_port": { + "type": "long" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transactionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmitteddrops": { + "type": "long" + }, + "transmittederrors": { + "ignore_above": 1024, + "type": "keyword" + }, + "transmittedkbits": { + "type": "long" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "updatedip": { + "type": "ip" + }, + "upload_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "upload_file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "used": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_cpu": { + "type": "float" + }, + "user_gp": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "users": { + "ignore_above": 1024, + "type": "keyword" + }, + "vconn_id": { + "type": "long" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "website": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "suricata": { + "properties": { + "eve": { + "properties": { + "alert": { + "properties": { + "action": { + "path": "event.outcome", + "type": "alias" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "metadata": { + "type": "flattened" + }, + "rev": { + "type": "long" + }, + "severity": { + "path": "event.severity", + "type": "alias" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + } + } + }, + "app_proto": { + "path": "network.protocol", + "type": "alias" + }, + "app_proto_expected": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_proto_ts": { + "ignore_above": 1024, + "type": "keyword" + }, + "dest_ip": { + "path": "destination.ip", + "type": "alias" + }, + "dest_port": { + "path": "destination.port", + "type": "alias" + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "filename": { + "path": "file.path", + "type": "alias" + }, + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "path": "file.size", + "type": "alias" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "bytes_toclient": { + "path": "destination.bytes", + "type": "alias" + }, + "bytes_toserver": { + "path": "source.bytes", + "type": "alias" + }, + "pkts_toclient": { + "path": "destination.packets", + "type": "alias" + }, + "pkts_toserver": { + "path": "source.packets", + "type": "alias" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "start": { + "path": "event.start", + "type": "alias" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "hostname": { + "path": "url.domain", + "type": "alias" + }, + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_method": { + "path": "http.request.method", + "type": "alias" + }, + "http_refer": { + "path": "http.request.referrer", + "type": "alias" + }, + "http_user_agent": { + "path": "user_agent.original", + "type": "alias" + }, + "length": { + "path": "http.response.body.bytes", + "type": "alias" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "redirect": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "path": "http.response.status_code", + "type": "alias" + }, + "url": { + "path": "url.original", + "type": "alias" + } + } + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "pcap_cnt": { + "type": "long" + }, + "proto": { + "path": "network.transport", + "type": "alias" + }, + "smtp": { + "properties": { + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src_ip": { + "path": "source.ip", + "type": "alias" + }, + "src_port": { + "path": "source.port", + "type": "alias" + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "ack": { + "type": "boolean" + }, + "fin": { + "type": "boolean" + }, + "psh": { + "type": "boolean" + }, + "rst": { + "type": "boolean" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "syn": { + "type": "boolean" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_tc": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_ts": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + } + } + }, + "syslog": { + "properties": { + "facility": { + "type": "long" + }, + "facility_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "severity_label": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "properties": { + "auth": { + "properties": { + "ssh": { + "properties": { + "dropped_ip": { + "type": "ip" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sudo": { + "properties": { + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "useradd": { + "properties": { + "home": { + "ignore_above": 1024, + "type": "keyword" + }, + "shell": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "threatintel": { + "properties": { + "abusemalware": { + "properties": { + "file_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlhaus_download": { + "ignore_above": 1024, + "type": "keyword" + }, + "virustotal": { + "properties": { + "link": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent": { + "type": "float" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "abuseurl": { + "properties": { + "blacklists": { + "properties": { + "spamhaus_dbl": { + "ignore_above": 1024, + "type": "keyword" + }, + "surbl": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "larted": { + "type": "boolean" + }, + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlhaus_reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "anomali": { + "properties": { + "content": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_marking_refs": { + "ignore_above": 1024, + "type": "keyword" + }, + "pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid_from": { + "type": "date" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "misp": { + "properties": { + "attribute": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "deleted": { + "type": "boolean" + }, + "disable_correlation": { + "type": "boolean" + }, + "distribution": { + "type": "long" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_relation": { + "ignore_above": 1024, + "type": "keyword" + }, + "sharing_group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "to_ids": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attribute_count": { + "type": "long" + }, + "date": { + "type": "date" + }, + "disable_correlation": { + "type": "boolean" + }, + "distribution": { + "ignore_above": 1024, + "type": "keyword" + }, + "extends_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "locked": { + "type": "boolean" + }, + "org": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "local": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "org_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "orgc": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "local": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orgc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "proposal_email_lock": { + "type": "boolean" + }, + "publish_timestamp": { + "type": "date" + }, + "published": { + "type": "boolean" + }, + "sharing_group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level_id": { + "type": "long" + }, + "timestamp": { + "type": "date" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "otx": { + "properties": { + "content": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "timeseries": { + "properties": { + "instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "traefik": { + "properties": { + "access": { + "properties": { + "backend_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "frontend_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "geoip": { + "properties": { + "city_name": { + "path": "source.geo.city_name", + "type": "alias" + }, + "continent_name": { + "path": "source.geo.continent_name", + "type": "alias" + }, + "country_iso_code": { + "path": "source.geo.country_iso_code", + "type": "alias" + }, + "location": { + "path": "source.geo.location", + "type": "alias" + }, + "region_iso_code": { + "path": "source.geo.region_iso_code", + "type": "alias" + }, + "region_name": { + "path": "source.geo.region_name", + "type": "alias" + } + } + }, + "request_count": { + "type": "long" + }, + "user_agent": { + "properties": { + "device": { + "path": "user_agent.device.name", + "type": "alias" + }, + "name": { + "path": "user_agent.name", + "type": "alias" + }, + "original": { + "path": "user_agent.original", + "type": "alias" + }, + "os": { + "path": "user_agent.os.full_name", + "type": "alias" + }, + "os_name": { + "path": "user_agent.os.name", + "type": "alias" + } + } + }, + "user_identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "audit": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "filesystem": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "saved": { + "properties": { + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "terminal": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zeek": { + "properties": { + "capture_loss": { + "properties": { + "acks": { + "type": "long" + }, + "gaps": { + "type": "long" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_lost": { + "type": "double" + }, + "ts_delta": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "history": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "inner_vlan": { + "type": "long" + }, + "local_orig": { + "type": "boolean" + }, + "local_resp": { + "type": "boolean" + }, + "missed_bytes": { + "type": "long" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + } + } + }, + "dce_rpc": { + "properties": { + "endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt": { + "type": "long" + } + } + }, + "dhcp": { + "properties": { + "address": { + "properties": { + "assigned": { + "type": "ip" + }, + "client": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested": { + "type": "ip" + }, + "server": { + "type": "ip" + } + } + }, + "client_fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "properties": { + "circuit": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscriber": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lease_time": { + "type": "long" + }, + "msg": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "type": "ip" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "software": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dnp3": { + "properties": { + "function": { + "properties": { + "reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "AA": { + "type": "boolean" + }, + "RA": { + "type": "boolean" + }, + "RD": { + "type": "boolean" + }, + "TC": { + "type": "boolean" + }, + "TTLs": { + "type": "double" + }, + "answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "qclass": { + "type": "long" + }, + "qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtype": { + "type": "long" + }, + "qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "type": "long" + }, + "rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "type": "boolean" + }, + "rtt": { + "type": "double" + }, + "saw_query": { + "type": "boolean" + }, + "saw_reply": { + "type": "boolean" + }, + "total_answers": { + "type": "long" + }, + "total_replies": { + "type": "long" + }, + "trans_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dpd": { + "properties": { + "analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_segment": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "files": { + "properties": { + "analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "depth": { + "type": "long" + }, + "duration": { + "type": "double" + }, + "entropy": { + "type": "double" + }, + "extracted": { + "ignore_above": 1024, + "type": "keyword" + }, + "extracted_cutoff": { + "type": "boolean" + }, + "extracted_size": { + "type": "long" + }, + "filename": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "local_orig": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rx_host": { + "type": "ip" + }, + "seen_bytes": { + "type": "long" + }, + "session_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timedout": { + "type": "boolean" + }, + "total_bytes": { + "type": "long" + }, + "tx_host": { + "type": "ip" + } + } + }, + "ftp": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_password": { + "type": "boolean" + }, + "cmdarg": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "seq": { + "type": "long" + } + } + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_channel": { + "properties": { + "originating_host": { + "type": "ip" + }, + "passive": { + "type": "boolean" + }, + "response_host": { + "type": "ip" + }, + "response_port": { + "type": "long" + } + } + }, + "file": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "last_auth_requested": { + "ignore_above": 1024, + "type": "keyword" + }, + "passive": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "pending_commands": { + "type": "long" + }, + "reply": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http": { + "properties": { + "captured_password": { + "type": "boolean" + }, + "client_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "info_code": { + "type": "long" + }, + "info_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "orig_mime_depth": { + "type": "long" + }, + "orig_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxied": { + "ignore_above": 1024, + "type": "keyword" + }, + "range_request": { + "type": "boolean" + }, + "resp_filenames": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "resp_mime_depth": { + "type": "long" + }, + "resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_header_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "trans_depth": { + "type": "long" + } + } + }, + "intel": { + "properties": { + "file_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen": { + "properties": { + "conn": { + "ignore_above": 1024, + "type": "keyword" + }, + "f": { + "type": "object" + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "where": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sources": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "irc": { + "properties": { + "addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "dcc": { + "properties": { + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kerberos": { + "properties": { + "cert": { + "properties": { + "client": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "error": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "forwardable": { + "type": "boolean" + }, + "renewable": { + "type": "boolean" + }, + "request_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "ticket": { + "properties": { + "auth": { + "ignore_above": 1024, + "type": "keyword" + }, + "new": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "days": { + "type": "long" + }, + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + } + } + }, + "modbus": { + "properties": { + "exception": { + "ignore_above": 1024, + "type": "keyword" + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + }, + "track_address": { + "type": "long" + } + } + }, + "mysql": { + "properties": { + "arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "cmd": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "ignore_above": 1024, + "type": "keyword" + }, + "rows": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "notice": { + "properties": { + "actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped": { + "type": "boolean" + }, + "email_body_sections": { + "norms": false, + "type": "text" + }, + "email_delay_tokens": { + "ignore_above": 1024, + "type": "keyword" + }, + "false": { + "type": "long" + }, + "ffile": { + "properties": { + "total_bytes": { + "type": "long" + } + } + }, + "file": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_orig": { + "type": "boolean" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "missing_bytes": { + "type": "long" + }, + "overflow_bytes": { + "type": "long" + }, + "parent_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "seen_bytes": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_descr": { + "norms": false, + "type": "text" + }, + "peer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppress_for": { + "type": "double" + } + } + }, + "ntlm": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "name": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "netbios": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "success": { + "type": "boolean" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ocsp": { + "properties": { + "file_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "revoke": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "update": { + "properties": { + "next": { + "type": "date" + }, + "this": { + "type": "date" + } + } + } + } + }, + "pe": { + "properties": { + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "compile_time": { + "type": "date" + }, + "has_cert_table": { + "type": "boolean" + }, + "has_debug_data": { + "type": "boolean" + }, + "has_export_table": { + "type": "boolean" + }, + "has_import_table": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_64bit": { + "type": "boolean" + }, + "is_exe": { + "type": "boolean" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "ignore_above": 1024, + "type": "keyword" + }, + "section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "uses_aslr": { + "type": "boolean" + }, + "uses_code_integrity": { + "type": "boolean" + }, + "uses_dep": { + "type": "boolean" + }, + "uses_seh": { + "type": "boolean" + } + } + }, + "radius": { + "properties": { + "connect_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "framed_addr": { + "type": "ip" + }, + "logged": { + "type": "boolean" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdp": { + "properties": { + "cert": { + "properties": { + "count": { + "type": "long" + }, + "permanent": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "desktop": { + "properties": { + "color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "width": { + "type": "long" + } + } + }, + "done": { + "type": "boolean" + }, + "encryption": { + "properties": { + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "keyboard_layout": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "type": "boolean" + } + } + }, + "rfb": { + "properties": { + "auth": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + } + } + }, + "desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "height": { + "type": "long" + }, + "share_flag": { + "type": "boolean" + }, + "version": { + "properties": { + "client": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "width": { + "type": "long" + } + } + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature": { + "properties": { + "event_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_count": { + "type": "long" + }, + "note": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_count": { + "type": "long" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sip": { + "properties": { + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body_length": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "properties": { + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "msg": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_cmd": { + "properties": { + "argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "rx": { + "type": "ip" + }, + "tx": { + "type": "ip" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rtt": { + "type": "double" + }, + "smb1_offered_dialects": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb2_offered_dialects": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_command": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_files": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "fid": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "previous_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "times": { + "properties": { + "accessed": { + "type": "date" + }, + "changed": { + "type": "date" + }, + "created": { + "type": "date" + }, + "modified": { + "type": "date" + } + } + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smb_mapping": { + "properties": { + "native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "ignore_above": 1024, + "type": "keyword" + }, + "share_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "smtp": { + "properties": { + "cc": { + "ignore_above": 1024, + "type": "keyword" + }, + "date": { + "type": "date" + }, + "first_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "has_client_activity": { + "type": "boolean" + }, + "helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "in_reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_webmail": { + "type": "boolean" + }, + "last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "mail_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "ip" + }, + "process_received_from": { + "type": "boolean" + }, + "rcpt_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "reply_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "second_received": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls": { + "type": "boolean" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_depth": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "x_originating_ip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snmp": { + "properties": { + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "double" + }, + "get": { + "properties": { + "bulk_requests": { + "type": "long" + }, + "requests": { + "type": "long" + }, + "responses": { + "type": "long" + } + } + }, + "set": { + "properties": { + "requests": { + "type": "long" + } + } + }, + "up_since": { + "type": "date" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "socks": { + "properties": { + "bound": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "capture_password": { + "type": "boolean" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssh": { + "properties": { + "algorithm": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "compression": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_exchange": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "auth": { + "properties": { + "attempts": { + "type": "long" + }, + "success": { + "type": "boolean" + } + } + }, + "client": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "ssl": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "last_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "validation": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stats": { + "properties": { + "bytes": { + "properties": { + "received": { + "type": "long" + } + } + }, + "connections": { + "properties": { + "icmp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + } + } + }, + "dns_requests": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "events": { + "properties": { + "processed": { + "type": "long" + }, + "queued": { + "type": "long" + } + } + }, + "files": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "memory": { + "type": "long" + }, + "packets": { + "properties": { + "dropped": { + "type": "long" + }, + "processed": { + "type": "long" + }, + "received": { + "type": "long" + } + } + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "reassembly_size": { + "properties": { + "file": { + "type": "long" + }, + "frag": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "unknown": { + "type": "long" + } + } + }, + "timers": { + "properties": { + "active": { + "type": "long" + }, + "count": { + "type": "long" + } + } + }, + "timestamp_lag": { + "type": "long" + } + } + }, + "syslog": { + "properties": { + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tunnel": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "weird": { + "properties": { + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice": { + "type": "boolean" + }, + "peer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "basic_constraints": { + "properties": { + "certificate_authority": { + "type": "boolean" + }, + "path_length": { + "type": "long" + } + } + }, + "certificate": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "exponent": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "key": { + "properties": { + "algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "valid": { + "properties": { + "from": { + "type": "date" + }, + "until": { + "type": "date" + } + } + }, + "version": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_cert": { + "type": "boolean" + }, + "san": { + "properties": { + "dns": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "other_fields": { + "type": "boolean" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "zoom": { + "properties": { + "account": { + "properties": { + "account_alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "account_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "account_support_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "account_support_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "chat_channel": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "chat_message": { + "properties": { + "channel_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "contact_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "contact_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "creation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "master_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "meeting": { + "properties": { + "duration": { + "type": "long" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "issues": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "topic": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "old_values": { + "type": "flattened" + }, + "operator": { + "ignore_above": 1024, + "type": "keyword" + }, + "operator_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "participant": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "join_time": { + "type": "date" + }, + "leave_time": { + "type": "date" + }, + "sharing_details": { + "properties": { + "content": { + "ignore_above": 1024, + "type": "keyword" + }, + "date_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "link_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "phone": { + "properties": { + "answer_start_time": { + "type": "date" + }, + "call_end_time": { + "type": "date" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "callee": { + "properties": { + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "caller": { + "properties": { + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "number_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "connected_start_time": { + "type": "date" + }, + "date_time": { + "type": "date" + }, + "download_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ringing_start_time": { + "type": "date" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "recording": { + "properties": { + "duration": { + "type": "long" + }, + "host_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "recording_count": { + "type": "long" + }, + "recording_file": { + "properties": { + "recording_end": { + "type": "date" + }, + "recording_start": { + "type": "date" + } + } + }, + "share_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "topic": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registrant": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "city": { + "ignore_above": 1024, + "type": "keyword" + }, + "comments": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "industry": { + "ignore_above": 1024, + "type": "keyword" + }, + "job_title": { + "ignore_above": 1024, + "type": "keyword" + }, + "join_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "no_of_employees": { + "ignore_above": 1024, + "type": "keyword" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone": { + "ignore_above": 1024, + "type": "keyword" + }, + "purchasing_time_frame": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_in_purchase_process": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "zip": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "settings": { + "type": "flattened" + }, + "sub_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "user": { + "properties": { + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "dept": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "language": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "personal_notes": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone_country": { + "ignore_above": 1024, + "type": "keyword" + }, + "phone_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "pic_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "pmi": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "use_pmi": { + "type": "boolean" + }, + "vanity_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "webinar": { + "properties": { + "agenda": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "issues": { + "ignore_above": 1024, + "type": "keyword" + }, + "join_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "topic": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zoomroom": { + "properties": { + "alert_kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "calendar_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "calendar_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "change_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "component": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "issue": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_email": { + "ignore_above": 1024, + "type": "keyword" + }, + "room_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "settings": { + "index": { + "lifecycle": { + "name": "filebeat", + "rollover_alias": "filebeat-7.12.0" + }, + "mapping": { + "total_fields": { + "limit": "10000" + } + }, + "max_docvalue_fields_search": "200", + "number_of_replicas": "1", + "number_of_shards": "1", + "refresh_interval": "5s" } } } From bff66fada5a95d5a8bed0d2a2ad13bceb4ad5afc Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Thu, 18 Mar 2021 14:07:42 +0100 Subject: [PATCH 2/9] adds matches test --- .../indicator_match_rule.spec.ts | 41 ++++++++++++++++++- .../security_solution/cypress/objects/rule.ts | 4 ++ .../cypress/screens/fields_browser.ts | 4 +- .../cypress/screens/rule_details.ts | 7 ++++ .../cypress/tasks/api_calls/rules.ts | 8 ++-- .../cypress/tasks/fields_browser.ts | 10 ++++- .../cypress/tasks/rule_details.ts | 10 +++++ 7 files changed, 77 insertions(+), 7 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index ef9c7f49cb371..92b71fc327c87 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -50,6 +50,7 @@ import { SCHEDULE_DETAILS, SEVERITY_DETAILS, TAGS_DETAILS, + TIMELINE_FIELD, TIMELINE_TEMPLATE_DETAILS, } from '../../screens/rule_details'; @@ -98,7 +99,7 @@ import { import { waitForKibana } from '../../tasks/edit_rule'; import { esArchiverLoad, esArchiverUnload } from '../../tasks/es_archiver'; import { loginAndWaitForPageWithoutDateRange } from '../../tasks/login'; -import { goBackToAllRulesTable } from '../../tasks/rule_details'; +import { addsFieldsToTimeline, goBackToAllRulesTable } from '../../tasks/rule_details'; import { DETECTIONS_URL, RULE_CREATION } from '../../urls/navigation'; @@ -471,6 +472,44 @@ describe('indicator match', () => { }); }); + describe('Enrichment', () => { + beforeEach(() => { + cleanKibana(); + esArchiverLoad('threat_indicator'); + esArchiverLoad('threat_data'); + loginAndWaitForPageWithoutDateRange(DETECTIONS_URL); + goToManageAlertsDetectionRules(); + createCustomIndicatorRule(newThreatIndicatorRule); + reload(); + }); + + afterEach(() => { + esArchiverUnload('threat_indicator'); + esArchiverUnload('threat_data'); + }); + + it('Displays matches on the timeline', () => { + const fieldSearch = 'threat.indicator.matched'; + const fields = [ + 'threat.indicator.matched.atomic', + 'threat.indicator.matched.type', + 'threat.indicator.matched.field', + ]; + const expectedFieldsText = [ + newThreatIndicatorRule.atomic, + newThreatIndicatorRule.type, + newThreatIndicatorRule.indicatorMapping, + ]; + + goToRuleDetails(); + addsFieldsToTimeline(fieldSearch, fields); + + fields.forEach((field, index) => { + cy.get(TIMELINE_FIELD(field)).should('have.text', expectedFieldsText[index]); + }); + }); + }); + describe('Duplicates the indicator rule', () => { beforeEach(() => { cleanKibana(); diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index ad19eca231634..6273b81d6a028 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -73,6 +73,8 @@ export interface ThreatIndicatorRule extends CustomRule { indicatorIndexPattern: string[]; indicatorMapping: string; indicatorIndexField: string; + type?: string; + atomic?: string; } export interface MachineLearningRule { @@ -312,6 +314,8 @@ export const newThreatIndicatorRule: ThreatIndicatorRule = { indicatorIndexPattern: ['filebeat-*'], indicatorMapping: 'myhash.mysha256', indicatorIndexField: 'threatintel.indicator.file.hash.sha256', + type: 'file', + atomic: 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3', timeline, maxSignals: 100, }; diff --git a/x-pack/plugins/security_solution/cypress/screens/fields_browser.ts b/x-pack/plugins/security_solution/cypress/screens/fields_browser.ts index ea274c446c014..1115dfb00914e 100644 --- a/x-pack/plugins/security_solution/cypress/screens/fields_browser.ts +++ b/x-pack/plugins/security_solution/cypress/screens/fields_browser.ts @@ -5,10 +5,12 @@ * 2.0. */ +export const CLOSE_BTN = '[data-test-subj="close"]'; + export const FIELDS_BROWSER_CATEGORIES_COUNT = '[data-test-subj="categories-count"]'; export const FIELDS_BROWSER_CHECKBOX = (id: string) => { - return `[data-test-subj="field-${id}-checkbox`; + return `[data-test-subj="category-table-container"] [data-test-subj="field-${id}-checkbox"]`; }; export const FIELDS_BROWSER_CONTAINER = '[data-test-subj="fields-browser-container"]'; diff --git a/x-pack/plugins/security_solution/cypress/screens/rule_details.ts b/x-pack/plugins/security_solution/cypress/screens/rule_details.ts index f9590b34a0a11..d94be17a0530a 100644 --- a/x-pack/plugins/security_solution/cypress/screens/rule_details.ts +++ b/x-pack/plugins/security_solution/cypress/screens/rule_details.ts @@ -53,6 +53,9 @@ export const MACHINE_LEARNING_JOB_STATUS = '[data-test-subj="machineLearningJobS export const MITRE_ATTACK_DETAILS = 'MITRE ATT&CK'; +export const FIELDS_BROWSER_BTN = + '[data-test-subj="events-viewer-panel"] [data-test-subj="show-field-browser"]'; + export const REFRESH_BUTTON = '[data-test-subj="refreshButton"]'; export const RULE_ABOUT_DETAILS_HEADER_TOGGLE = '[data-test-subj="stepAboutDetailsToggle"]'; @@ -92,6 +95,10 @@ export const TIMELINE_TEMPLATE_DETAILS = 'Timeline template'; export const TIMESTAMP_OVERRIDE_DETAILS = 'Timestamp override'; +export const TIMELINE_FIELD = (field: string) => { + return `[data-test-subj="draggable-content-${field}"]`; +}; + export const getDetails = (title: string) => cy.get(DETAILS_TITLE).contains(title).next(DETAILS_DESCRIPTION); diff --git a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts index 4bf5508c19aa9..c9e46f38d0547 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts @@ -47,7 +47,7 @@ export const createCustomIndicatorRule = (rule: ThreatIndicatorRule, ruleId = 'r { field: rule.indicatorMapping, type: 'mapping', - value: rule.indicatorMapping, + value: rule.indicatorIndexField, }, ], }, @@ -55,13 +55,13 @@ export const createCustomIndicatorRule = (rule: ThreatIndicatorRule, ruleId = 'r threat_query: '*:*', threat_language: 'kuery', threat_filters: [], - threat_index: ['mock*'], + threat_index: rule.indicatorIndexPattern, threat_indicator_path: '', from: 'now-17520h', - index: ['exceptions-*'], + index: rule.index, query: rule.customQuery || '*:*', language: 'kuery', - enabled: false, + enabled: true, }, headers: { 'kbn-xsrf': 'cypress-creds' }, failOnStatusCode: false, diff --git a/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts b/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts index 9ee242dcebbe8..0e7520046bdbe 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts @@ -15,9 +15,17 @@ import { FIELDS_BROWSER_HOST_GEO_CONTINENT_NAME_CHECKBOX, FIELDS_BROWSER_MESSAGE_CHECKBOX, FIELDS_BROWSER_RESET_FIELDS, + FIELDS_BROWSER_CHECKBOX, + CLOSE_BTN, } from '../screens/fields_browser'; import { KQL_SEARCH_BAR } from '../screens/hosts/main'; +export const addsFields = (fields: string[]) => { + fields.forEach((field) => { + cy.get(FIELDS_BROWSER_CHECKBOX(field)).click(); + }); +}; + export const addsHostGeoCityNameToTimeline = () => { cy.get(FIELDS_BROWSER_HOST_GEO_CITY_NAME_CHECKBOX).check({ force: true, @@ -44,7 +52,7 @@ export const clearFieldsBrowser = () => { }; export const closeFieldsBrowser = () => { - cy.get(KQL_SEARCH_BAR).click({ force: true }); + cy.get(CLOSE_BTN).click({ force: true }); }; export const filterFieldsBrowser = (fieldName: string) => { diff --git a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts index 21a2745395419..a2ac29eb46fc3 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts @@ -16,14 +16,17 @@ import { OPERATOR_INPUT, VALUES_INPUT, } from '../screens/exceptions'; +import { CLOSE_BTN } from '../screens/fields_browser'; import { ALERTS_TAB, BACK_TO_RULES, EXCEPTIONS_TAB, + FIELDS_BROWSER_BTN, REFRESH_BUTTON, REMOVE_EXCEPTION_BTN, RULE_SWITCH, } from '../screens/rule_details'; +import { addsFields, closeFieldsBrowser, filterFieldsBrowser } from './fields_browser'; export const activatesRule = () => { cy.intercept('PATCH', '/api/detection_engine/rules/_bulk_update').as('bulk_update'); @@ -49,6 +52,13 @@ export const addsException = (exception: Exception) => { cy.get(CONFIRM_BTN).should('not.exist'); }; +export const addsFieldsToTimeline = (search: string, fields: string[]) => { + cy.get(FIELDS_BROWSER_BTN).click(); + filterFieldsBrowser(search); + addsFields(fields); + closeFieldsBrowser(); +}; + export const openExceptionModalFromRuleSettings = () => { cy.get(ADD_EXCEPTIONS_BTN).click(); cy.get(LOADING_SPINNER).should('not.exist'); From 6613141f1628ff364775300713b34fc19e8dabb9 Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Thu, 18 Mar 2021 15:32:59 +0100 Subject: [PATCH 3/9] adds enrichment test --- .../detection_rules/indicator_match_rule.spec.ts | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index 92b71fc327c87..af3f70c1696ea 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -16,6 +16,7 @@ import { ALERT_RULE_VERSION, NUMBER_OF_ALERTS, } from '../../screens/alerts'; +import { JSON_CONTENT } from '../../screens/alerts_details'; import { CUSTOM_RULES_BTN, RISK_SCORE, @@ -55,10 +56,12 @@ import { } from '../../screens/rule_details'; import { + expandFirstAlert, goToManageAlertsDetectionRules, waitForAlertsIndexToBeCreated, waitForAlertsPanelToBeLoaded, } from '../../tasks/alerts'; +import { openJsonView } from '../../tasks/alerts_details'; import { changeRowsPerPageTo300, duplicateFirstRule, @@ -481,6 +484,7 @@ describe('indicator match', () => { goToManageAlertsDetectionRules(); createCustomIndicatorRule(newThreatIndicatorRule); reload(); + goToRuleDetails(); }); afterEach(() => { @@ -501,13 +505,23 @@ describe('indicator match', () => { newThreatIndicatorRule.indicatorMapping, ]; - goToRuleDetails(); addsFieldsToTimeline(fieldSearch, fields); fields.forEach((field, index) => { cy.get(TIMELINE_FIELD(field)).should('have.text', expectedFieldsText[index]); }); }); + + it('Displays enrichment on the JSON view', () => { + const expectedEnrichment = `"threat": { + "indicator": "{\"first_seen\":\"2021-03-10T08:02:14.000Z\",\"file\":{\"size\":80280,\"pe\":{},\"type\":\"elf\",\"hash\":{\"sha256\":\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\",\"tlsh\":\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"md5\":\"9b6c3518a91d23ed77504b5416bfb5b3\"}},\"type\":\"file\",\"matched\":{\"atomic\":\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\",\"field\":\"myhash.mysha256\",\"id\":\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\",\"index\":\"filebeat-7.12.0-2021.03.10-000001\",\"type\":\"file\"}}" + }`; + + expandFirstAlert(); + openJsonView(); + + cy.get(JSON_CONTENT).contains(expectedEnrichment); + }); }); describe('Duplicates the indicator rule', () => { From 65314c2d634a8a9c35cf8cf4063ea0dbe9f66f21 Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Thu, 18 Mar 2021 16:02:48 +0100 Subject: [PATCH 4/9] improves speed and adds missing files --- .../detection_rules/indicator_match_rule.spec.ts | 9 +++++++-- .../cypress/screens/alerts_details.ts | 10 ++++++++++ .../cypress/tasks/alerts_details.ts | 12 ++++++++++++ 3 files changed, 29 insertions(+), 2 deletions(-) create mode 100644 x-pack/plugins/security_solution/cypress/screens/alerts_details.ts create mode 100644 x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index af3f70c1696ea..298c45bc9559c 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -476,7 +476,7 @@ describe('indicator match', () => { }); describe('Enrichment', () => { - beforeEach(() => { + before(() => { cleanKibana(); esArchiverLoad('threat_indicator'); esArchiverLoad('threat_data'); @@ -484,10 +484,15 @@ describe('indicator match', () => { goToManageAlertsDetectionRules(); createCustomIndicatorRule(newThreatIndicatorRule); reload(); + }); + + beforeEach(() => { + loginAndWaitForPageWithoutDateRange(DETECTIONS_URL); + goToManageAlertsDetectionRules(); goToRuleDetails(); }); - afterEach(() => { + after(() => { esArchiverUnload('threat_indicator'); esArchiverUnload('threat_data'); }); diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts new file mode 100644 index 0000000000000..8cf492746e6de --- /dev/null +++ b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const JSON_CONTENT = '.ace_content'; + +export const JSON_VIEW_TAB = '#json-view'; diff --git a/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts b/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts new file mode 100644 index 0000000000000..3e6b6285966aa --- /dev/null +++ b/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts @@ -0,0 +1,12 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { JSON_VIEW_TAB } from '../screens/alerts_details'; + +export const openJsonView = () => { + cy.get(JSON_VIEW_TAB).click(); +}; From 3a801df33d6b9347beb4c6797f6b7245dc54f38f Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Thu, 18 Mar 2021 18:08:00 +0100 Subject: [PATCH 5/9] fixes type check issue --- x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts | 1 - x-pack/plugins/security_solution/cypress/tasks/rule_details.ts | 1 - 2 files changed, 2 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts b/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts index 0e7520046bdbe..72945f557ac1b 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/fields_browser.ts @@ -18,7 +18,6 @@ import { FIELDS_BROWSER_CHECKBOX, CLOSE_BTN, } from '../screens/fields_browser'; -import { KQL_SEARCH_BAR } from '../screens/hosts/main'; export const addsFields = (fields: string[]) => { fields.forEach((field) => { diff --git a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts index a2ac29eb46fc3..37c425c5488bc 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/rule_details.ts @@ -16,7 +16,6 @@ import { OPERATOR_INPUT, VALUES_INPUT, } from '../screens/exceptions'; -import { CLOSE_BTN } from '../screens/fields_browser'; import { ALERTS_TAB, BACK_TO_RULES, From 4ca82cf81f220840d91dc1c9498f2a843dd97d5f Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Tue, 23 Mar 2021 16:40:14 +0100 Subject: [PATCH 6/9] adds 'data-test-subj' for the json view tab --- .../detection_rules/indicator_match_rule.spec.ts | 8 -------- .../security_solution/cypress/screens/alerts_details.ts | 2 +- .../common/components/event_details/event_details.tsx | 1 + 3 files changed, 2 insertions(+), 9 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index 298c45bc9559c..913f63c85553b 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -477,9 +477,6 @@ describe('indicator match', () => { describe('Enrichment', () => { before(() => { - cleanKibana(); - esArchiverLoad('threat_indicator'); - esArchiverLoad('threat_data'); loginAndWaitForPageWithoutDateRange(DETECTIONS_URL); goToManageAlertsDetectionRules(); createCustomIndicatorRule(newThreatIndicatorRule); @@ -492,11 +489,6 @@ describe('indicator match', () => { goToRuleDetails(); }); - after(() => { - esArchiverUnload('threat_indicator'); - esArchiverUnload('threat_data'); - }); - it('Displays matches on the timeline', () => { const fieldSearch = 'threat.indicator.matched'; const fields = [ diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts index 8cf492746e6de..548afc68fd120 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts @@ -7,4 +7,4 @@ export const JSON_CONTENT = '.ace_content'; -export const JSON_VIEW_TAB = '#json-view'; +export const JSON_VIEW_TAB = '[data-test-subj="jsonViewTab"]'; diff --git a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx index ddb3d98cafca8..4979d70ce2d7b 100644 --- a/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx +++ b/x-pack/plugins/security_solution/public/common/components/event_details/event_details.tsx @@ -107,6 +107,7 @@ const EventDetailsComponent: React.FC = ({ }, { id: EventsViewType.jsonView, + 'data-test-subj': 'jsonViewTab', name: i18n.JSON_VIEW, content: ( <> From 5b127f3d15b87594d2fa876a04b92a50f17a8d3c Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Wed, 24 Mar 2021 09:28:08 +0100 Subject: [PATCH 7/9] refactor --- .../indicator_match_rule.spec.ts | 98 +- .../security_solution/cypress/objects/rule.ts | 6 +- .../cypress/screens/alerts_details.ts | 4 +- .../cypress/tasks/alerts_details.ts | 7 +- .../cypress/tasks/api_calls/rules.ts | 2 +- .../cypress/tasks/create_new_rule.ts | 2 +- .../data.json | 2 +- .../mappings.json | 2 +- .../threat_indicator/mappings.json | 24897 +--------------- 9 files changed, 415 insertions(+), 24605 deletions(-) rename x-pack/test/security_solution_cypress/es_archives/{threat_data => suspicious_source_event}/data.json (85%) rename x-pack/test/security_solution_cypress/es_archives/{threat_data => suspicious_source_event}/mappings.json (90%) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index 913f63c85553b..0e605e709c94a 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -6,7 +6,7 @@ */ import { formatMitreAttackDescription } from '../../helpers/rules'; -import { indexPatterns, newThreatIndicatorRule } from '../../objects/rule'; +import { expectedExportedRule, indexPatterns, newThreatIndicatorRule } from '../../objects/rule'; import { ALERT_RULE_METHOD, @@ -16,7 +16,7 @@ import { ALERT_RULE_VERSION, NUMBER_OF_ALERTS, } from '../../screens/alerts'; -import { JSON_CONTENT } from '../../screens/alerts_details'; +import { JSON_CONTENT, JSON_LINES } from '../../screens/alerts_details'; import { CUSTOM_RULES_BTN, RISK_SCORE, @@ -61,7 +61,7 @@ import { waitForAlertsIndexToBeCreated, waitForAlertsPanelToBeLoaded, } from '../../tasks/alerts'; -import { openJsonView } from '../../tasks/alerts_details'; +import { openJsonView, scrollJsonViewToBottom } from '../../tasks/alerts_details'; import { changeRowsPerPageTo300, duplicateFirstRule, @@ -118,11 +118,11 @@ describe('indicator match', () => { before(() => { cleanKibana(); esArchiverLoad('threat_indicator'); - esArchiverLoad('threat_data'); + esArchiverLoad('suspicious_source_event'); }); after(() => { esArchiverUnload('threat_indicator'); - esArchiverUnload('threat_data'); + esArchiverUnload('suspicious_source_event'); }); describe('Creating new indicator match rules', () => { @@ -220,7 +220,7 @@ describe('indicator match', () => { it('Does NOT show invalidation text when there is a valid "index field" and a valid "indicator index field"', () => { fillIndicatorMatchRow({ - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: newThreatIndicatorRule.indicatorIndexField, }); getDefineContinueButton().click(); @@ -239,7 +239,7 @@ describe('indicator match', () => { it('Shows invalidation text when there is a valid "index field" and an invalid "indicator index field"', () => { fillIndicatorMatchRow({ - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: 'non-existent-value', validColumns: 'indexField', }); @@ -249,7 +249,7 @@ describe('indicator match', () => { it('Deletes the first row when you have two rows. Both rows valid rows of "index fields" and valid "indicator index fields". The second row should become the first row', () => { fillIndicatorMatchRow({ - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: newThreatIndicatorRule.indicatorIndexField, }); getIndicatorAndButton().click(); @@ -271,14 +271,14 @@ describe('indicator match', () => { it('Deletes the first row when you have two rows. Both rows have valid "index fields" and invalid "indicator index fields". The second row should become the first row', () => { fillIndicatorMatchRow({ - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: 'non-existent-value', validColumns: 'indexField', }); getIndicatorAndButton().click(); fillIndicatorMatchRow({ rowNumber: 2, - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: 'second-non-existent-value', validColumns: 'indexField', }); @@ -309,7 +309,7 @@ describe('indicator match', () => { it('Deletes the first row of data but not the UI elements and the text defaults back to the placeholder of Search', () => { fillIndicatorMatchRow({ - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: newThreatIndicatorRule.indicatorIndexField, }); getIndicatorDeleteButton().click(); @@ -321,7 +321,7 @@ describe('indicator match', () => { it('Deletes the second row when you have three rows. The first row is valid data, the second row is invalid data, and the third row is valid data. Third row should shift up correctly', () => { fillIndicatorMatchRow({ - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: newThreatIndicatorRule.indicatorIndexField, }); getIndicatorAndButton().click(); @@ -334,16 +334,22 @@ describe('indicator match', () => { getIndicatorAndButton().click(); fillIndicatorMatchRow({ rowNumber: 3, - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: newThreatIndicatorRule.indicatorIndexField, }); getIndicatorDeleteButton(2).click(); - getIndicatorIndexComboField(1).should('text', newThreatIndicatorRule.indicatorMapping); + getIndicatorIndexComboField(1).should( + 'text', + newThreatIndicatorRule.indicatorMappingField + ); getIndicatorMappingComboField(1).should( 'text', newThreatIndicatorRule.indicatorIndexField ); - getIndicatorIndexComboField(2).should('text', newThreatIndicatorRule.indicatorMapping); + getIndicatorIndexComboField(2).should( + 'text', + newThreatIndicatorRule.indicatorMappingField + ); getIndicatorMappingComboField(2).should( 'text', newThreatIndicatorRule.indicatorIndexField @@ -361,11 +367,14 @@ describe('indicator match', () => { getIndicatorOrButton().click(); fillIndicatorMatchRow({ rowNumber: 2, - indexField: newThreatIndicatorRule.indicatorMapping, + indexField: newThreatIndicatorRule.indicatorMappingField, indicatorIndexField: newThreatIndicatorRule.indicatorIndexField, }); getIndicatorDeleteButton().click(); - getIndicatorIndexComboField().should('text', newThreatIndicatorRule.indicatorMapping); + getIndicatorIndexComboField().should( + 'text', + newThreatIndicatorRule.indicatorMappingField + ); getIndicatorMappingComboField().should( 'text', newThreatIndicatorRule.indicatorIndexField @@ -445,7 +454,7 @@ describe('indicator match', () => { ); getDetails(INDICATOR_MAPPING).should( 'have.text', - `${newThreatIndicatorRule.indicatorMapping} MATCHES ${newThreatIndicatorRule.indicatorIndexField}` + `${newThreatIndicatorRule.indicatorMappingField} MATCHES ${newThreatIndicatorRule.indicatorIndexField}` ); getDetails(INDICATOR_INDEX_QUERY).should('have.text', '*:*'); }); @@ -476,13 +485,43 @@ describe('indicator match', () => { }); describe('Enrichment', () => { + const fieldSearch = 'threat.indicator.matched'; + const fields = [ + 'threat.indicator.matched.atomic', + 'threat.indicator.matched.type', + 'threat.indicator.matched.field', + ]; + const expectedFieldsText = [ + newThreatIndicatorRule.atomic, + newThreatIndicatorRule.type, + newThreatIndicatorRule.indicatorMappingField, + ]; + + const expectedEnrichment = [ + { line: 31, text: ' "threat": {' }, + { + line: 32, + text: + ' "indicator": "{\\"first_seen\\":\\"2021-03-10T08:02:14.000Z\\",\\"file\\":{\\"size\\":80280,\\"pe\\":{},\\"type\\":\\"elf\\",\\"hash\\":{\\"sha256\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"tlsh\\":\\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\\",\\"ssdeep\\":\\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\\",\\"md5\\":\\"9b6c3518a91d23ed77504b5416bfb5b3\\"}},\\"type\\":\\"file\\",\\"matched\\":{\\"atomic\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"field\\":\\"myhash.mysha256\\",\\"id\\":\\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\\",\\"index\\":\\"filebeat-7.12.0-2021.03.10-000001\\",\\"type\\":\\"file\\"}}"', + }, + { line: 33, text: ' }' }, + ]; + before(() => { + cleanKibana(); + esArchiverLoad('threat_indicator'); + esArchiverLoad('suspicious_source_event'); loginAndWaitForPageWithoutDateRange(DETECTIONS_URL); goToManageAlertsDetectionRules(); createCustomIndicatorRule(newThreatIndicatorRule); reload(); }); + after(() => { + esArchiverUnload('threat_indicator'); + esArchiverUnload('suspicious_source_event'); + }); + beforeEach(() => { loginAndWaitForPageWithoutDateRange(DETECTIONS_URL); goToManageAlertsDetectionRules(); @@ -490,18 +529,6 @@ describe('indicator match', () => { }); it('Displays matches on the timeline', () => { - const fieldSearch = 'threat.indicator.matched'; - const fields = [ - 'threat.indicator.matched.atomic', - 'threat.indicator.matched.type', - 'threat.indicator.matched.field', - ]; - const expectedFieldsText = [ - newThreatIndicatorRule.atomic, - newThreatIndicatorRule.type, - newThreatIndicatorRule.indicatorMapping, - ]; - addsFieldsToTimeline(fieldSearch, fields); fields.forEach((field, index) => { @@ -510,14 +537,15 @@ describe('indicator match', () => { }); it('Displays enrichment on the JSON view', () => { - const expectedEnrichment = `"threat": { - "indicator": "{\"first_seen\":\"2021-03-10T08:02:14.000Z\",\"file\":{\"size\":80280,\"pe\":{},\"type\":\"elf\",\"hash\":{\"sha256\":\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\",\"tlsh\":\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\",\"ssdeep\":\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\",\"md5\":\"9b6c3518a91d23ed77504b5416bfb5b3\"}},\"type\":\"file\",\"matched\":{\"atomic\":\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\",\"field\":\"myhash.mysha256\",\"id\":\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\",\"index\":\"filebeat-7.12.0-2021.03.10-000001\",\"type\":\"file\"}}" - }`; - expandFirstAlert(); openJsonView(); + scrollJsonViewToBottom(); - cy.get(JSON_CONTENT).contains(expectedEnrichment); + cy.get(JSON_LINES).then((elements) => { + expectedEnrichment.forEach((enrichment) => { + cy.wrap(elements).eq(enrichment.line).should('have.text', enrichment.text); + }); + }); }); }); diff --git a/x-pack/plugins/security_solution/cypress/objects/rule.ts b/x-pack/plugins/security_solution/cypress/objects/rule.ts index 6273b81d6a028..68c7796f7ca3b 100644 --- a/x-pack/plugins/security_solution/cypress/objects/rule.ts +++ b/x-pack/plugins/security_solution/cypress/objects/rule.ts @@ -71,7 +71,7 @@ export interface OverrideRule extends CustomRule { export interface ThreatIndicatorRule extends CustomRule { indicatorIndexPattern: string[]; - indicatorMapping: string; + indicatorMappingField: string; indicatorIndexField: string; type?: string; atomic?: string; @@ -301,7 +301,7 @@ export const eqlSequenceRule: CustomRule = { export const newThreatIndicatorRule: ThreatIndicatorRule = { name: 'Threat Indicator Rule Test', description: 'The threat indicator rule description.', - index: ['threat-data-*'], + index: ['suspicious-*'], severity: 'Critical', riskScore: '20', tags: ['test', 'threat'], @@ -312,7 +312,7 @@ export const newThreatIndicatorRule: ThreatIndicatorRule = { runsEvery, lookBack, indicatorIndexPattern: ['filebeat-*'], - indicatorMapping: 'myhash.mysha256', + indicatorMappingField: 'myhash.mysha256', indicatorIndexField: 'threatintel.indicator.file.hash.sha256', type: 'file', atomic: 'a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3', diff --git a/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts index 548afc68fd120..417cf73de47f6 100644 --- a/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts +++ b/x-pack/plugins/security_solution/cypress/screens/alerts_details.ts @@ -5,6 +5,8 @@ * 2.0. */ -export const JSON_CONTENT = '.ace_content'; +export const JSON_CONTENT = '[data-test-subj="jsonView"]'; + +export const JSON_LINES = '.ace_line'; export const JSON_VIEW_TAB = '[data-test-subj="jsonViewTab"]'; diff --git a/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts b/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts index 3e6b6285966aa..1582f35989e2c 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/alerts_details.ts @@ -5,8 +5,13 @@ * 2.0. */ -import { JSON_VIEW_TAB } from '../screens/alerts_details'; +import { JSON_CONTENT, JSON_VIEW_TAB } from '../screens/alerts_details'; export const openJsonView = () => { cy.get(JSON_VIEW_TAB).click(); }; + +export const scrollJsonViewToBottom = () => { + cy.get(JSON_CONTENT).click({ force: true }); + cy.get(JSON_CONTENT).type('{pagedown}{pagedown}{pagedown}'); +}; diff --git a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts index c9e46f38d0547..0b051f3a26581 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/api_calls/rules.ts @@ -45,7 +45,7 @@ export const createCustomIndicatorRule = (rule: ThreatIndicatorRule, ruleId = 'r { entries: [ { - field: rule.indicatorMapping, + field: rule.indicatorMappingField, type: 'mapping', value: rule.indicatorIndexField, }, diff --git a/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts b/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts index b317f158ae614..0c663a95a4bda 100644 --- a/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts +++ b/x-pack/plugins/security_solution/cypress/tasks/create_new_rule.ts @@ -426,7 +426,7 @@ export const getCustomQueryInvalidationText = () => cy.contains(CUSTOM_QUERY_REQ export const fillDefineIndicatorMatchRuleAndContinue = (rule: ThreatIndicatorRule) => { fillIndexAndIndicatorIndexPattern(rule.index, rule.indicatorIndexPattern); fillIndicatorMatchRow({ - indexField: rule.indicatorMapping, + indexField: rule.indicatorMappingField, indicatorIndexField: rule.indicatorIndexField, }); getDefineContinueButton().should('exist').click({ force: true }); diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json b/x-pack/test/security_solution_cypress/es_archives/suspicious_source_event/data.json similarity index 85% rename from x-pack/test/security_solution_cypress/es_archives/threat_data/data.json rename to x-pack/test/security_solution_cypress/es_archives/suspicious_source_event/data.json index 75c4fe3811376..11b5e9bd0828b 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_data/data.json +++ b/x-pack/test/security_solution_cypress/es_archives/suspicious_source_event/data.json @@ -2,7 +2,7 @@ "type": "doc", "value": { "id": "_eZE7mwBOpWiDweStB_c", - "index": "threat-data-001", + "index": "suspicious-source-event-001", "source": { "@timestamp": "2021-02-22T21:00:49.337Z", "myhash": { diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json b/x-pack/test/security_solution_cypress/es_archives/suspicious_source_event/mappings.json similarity index 90% rename from x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json rename to x-pack/test/security_solution_cypress/es_archives/suspicious_source_event/mappings.json index 01f8e6cf44e5e..83b2b4d64a510 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_data/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/suspicious_source_event/mappings.json @@ -10,7 +10,7 @@ "siem-read-alias": { } }, - "index": "threat-data-001", + "index": "suspicious-source-event-001", "mappings": { "properties": { "@timestamp": { diff --git a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json index 2c5ab082c4cbf..efd23c5a6bba4 100644 --- a/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json +++ b/x-pack/test/security_solution_cypress/es_archives/threat_indicator/mappings.json @@ -122,30 +122,6 @@ "@timestamp": { "type": "date" }, - "activemq": { - "properties": { - "caller": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "properties": { - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "agent": { "properties": { "build": { @@ -210,24562 +186,504 @@ } } }, - "as": { + "fileset": { "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } + "name": { + "ignore_above": 1024, + "type": "keyword" } } }, - "auditd": { + "threatintel": { "properties": { - "log": { + "abusemalware": { "properties": { - "a0": { - "ignore_above": 1024, - "type": "keyword" - }, - "addr": { - "type": "ip" - }, - "item": { - "ignore_above": 1024, - "type": "keyword" - }, - "items": { - "ignore_above": 1024, - "type": "keyword" - }, - "laddr": { - "type": "ip" - }, - "lport": { - "type": "long" - }, - "new_auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_ses": { + "file_type": { "ignore_above": 1024, "type": "keyword" }, - "rport": { - "type": "long" - }, - "sequence": { - "type": "long" - }, - "tty": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "aws": { - "properties": { - "cloudtrail": { - "properties": { - "additional_eventdata": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, + "signature": { "ignore_above": 1024, "type": "keyword" }, - "api_version": { + "urlhaus_download": { "ignore_above": 1024, "type": "keyword" }, - "console_login": { - "properties": { - "additional_eventdata": { - "properties": { - "login_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "mfa_used": { - "type": "boolean" - }, - "mobile_version": { - "type": "boolean" - } - } - } - } - }, - "digest": { + "virustotal": { "properties": { - "end_time": { - "type": "date" - }, - "log_files": { - "type": "nested" - }, - "newest_event_time": { - "type": "date" - }, - "oldest_event_time": { - "type": "date" - }, - "previous_hash_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "previous_s3_bucket": { + "link": { "ignore_above": 1024, "type": "keyword" }, - "public_key_fingerprint": { - "ignore_above": 1024, - "type": "keyword" + "percent": { + "type": "float" }, - "s3_bucket": { + "result": { "ignore_above": 1024, "type": "keyword" - }, - "s3_object": { + } + } + } + } + }, + "abuseurl": { + "properties": { + "blacklists": { + "properties": { + "spamhaus_dbl": { "ignore_above": 1024, "type": "keyword" }, - "signature_algorithm": { + "surbl": { "ignore_above": 1024, "type": "keyword" - }, - "start_time": { - "type": "date" } } }, - "error_code": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "error_message": { + "larted": { + "type": "boolean" + }, + "reporter": { "ignore_above": 1024, "type": "keyword" }, - "event_category": { + "tags": { "ignore_above": 1024, "type": "keyword" }, - "event_type": { + "threat": { "ignore_above": 1024, "type": "keyword" }, - "event_version": { + "url_status": { "ignore_above": 1024, "type": "keyword" }, - "flattened": { - "properties": { - "additional_eventdata": { - "type": "flattened" - }, - "request_parameters": { - "type": "flattened" - }, - "response_elements": { - "type": "flattened" - }, - "service_event_details": { - "type": "flattened" - } - } - }, - "insight_details": { - "type": "flattened" - }, - "management_event": { + "urlhaus_reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "anomali": { + "properties": { + "content": { "ignore_above": 1024, "type": "keyword" }, - "read_only": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "recipient_account_id": { + "id": { "ignore_above": 1024, "type": "keyword" }, - "request_id": { + "indicator": { "ignore_above": 1024, "type": "keyword" }, - "request_parameters": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, + "labels": { "ignore_above": 1024, "type": "keyword" }, - "resources": { - "properties": { - "account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } + "modified": { + "type": "date" }, - "response_elements": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, + "name": { "ignore_above": 1024, "type": "keyword" }, - "service_event_details": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, + "object_marking_refs": { "ignore_above": 1024, "type": "keyword" }, - "shared_event_id": { + "pattern": { "ignore_above": 1024, "type": "keyword" }, - "user_identity": { - "properties": { - "access_key_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "invoked_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_context": { - "properties": { - "creation_date": { - "type": "date" - }, - "mfa_authenticated": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_issuer": { - "properties": { - "account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpc_endpoint_id": { + "title": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "cloudwatch": { - "properties": { - "message": { - "norms": false, - "type": "text" - } - } - }, - "ec2": { - "properties": { - "ip_address": { + }, + "type": { "ignore_above": 1024, "type": "keyword" + }, + "valid_from": { + "type": "date" } } }, - "elb": { + "indicator": { "properties": { - "action_executed": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend": { + "as": { "properties": { - "http": { + "number": { + "type": "long" + }, + "organization": { "properties": { - "response": { - "properties": { - "status_code": { - "ignore_above": 1024, - "type": "keyword" + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" } - } + }, + "ignore_above": 1024, + "type": "keyword" } } - }, - "ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "backend_processing_time": { - "properties": { - "sec": { - "type": "float" } } }, - "chosen_cert": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - } - } + "confidence": { + "ignore_above": 1024, + "type": "keyword" }, - "classification": { + "dataset": { "ignore_above": 1024, "type": "keyword" }, - "classification_reason": { + "description": { "ignore_above": 1024, "type": "keyword" }, - "connection_time": { - "properties": { - "ms": { - "type": "long" - } - } + "domain": { + "ignore_above": 1024, + "type": "keyword" }, - "error": { + "email": { "properties": { - "reason": { + "address": { "ignore_above": 1024, "type": "keyword" } } }, - "incoming_tls_alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "listener": { - "ignore_above": 1024, - "type": "keyword" - }, - "matched_rule_priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "redirect_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_processing_time": { - "properties": { - "sec": { - "type": "float" - } - } - }, - "response_processing_time": { - "properties": { - "sec": { - "type": "float" - } - } - }, - "ssl_cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_group": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target_port": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls_handshake_time": { - "properties": { - "ms": { - "type": "long" - } - } - }, - "tls_named_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "trace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "s3access": { - "properties": { - "authentication_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "bucket": { - "ignore_above": 1024, - "type": "keyword" - }, - "bucket_owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes_sent": { - "type": "long" - }, - "cipher_suite": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_header": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_status": { - "type": "long" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_size": { - "type": "long" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "requester": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_time": { - "type": "long" - }, - "turn_around_time": { - "type": "long" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpcflow": { - "properties": { - "account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "pkt_dstaddr": { - "type": "ip" - }, - "pkt_srcaddr": { - "type": "ip" - }, - "subnet_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_array": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "aws-cloudwatch": { - "properties": { - "ingestion_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_stream": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "azure": { - "properties": { - "activitylogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "properties": { - "authorization": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "evidence": { - "properties": { - "principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "principal_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_assignment_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_assignment_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_definition_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scope": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "claims": { - "properties": { - "*": { - "type": "object" - } - } - }, - "claims_initiated_by_user": { - "properties": { - "fullname": { - "ignore_above": 1024, - "type": "keyword" - }, - "givenname": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "schema": { - "ignore_above": 1024, - "type": "keyword" - }, - "surname": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "service_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "auditlogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "activity_datetime": { - "type": "date" - }, - "activity_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiated_by": { - "properties": { - "app": { - "properties": { - "appId": { - "ignore_above": 1024, - "type": "keyword" - }, - "displayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "servicePrincipalId": { - "ignore_above": 1024, - "type": "keyword" - }, - "servicePrincipalName": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "displayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "userPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "logged_by_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_resources": { - "properties": { - "*": { - "properties": { - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "modified_properties": { - "properties": { - "*": { - "properties": { - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "consumer_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "enqueued_time": { - "type": "date" - }, - "eventhub": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "partition_id": { - "type": "long" - }, - "platformlogs": { - "properties": { - "ActivityId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Caller": { - "ignore_above": 1024, - "type": "keyword" - }, - "Cloud": { - "ignore_above": 1024, - "type": "keyword" - }, - "Environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventTimeString": { - "ignore_above": 1024, - "type": "keyword" - }, - "ScaleUnit": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "ccpNamespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "*": { - "type": "object" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "authorization_rule": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sequence_number": { - "type": "long" - }, - "signinlogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "app_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_app_used": { - "ignore_above": 1024, - "type": "keyword" - }, - "conditional_access_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "device_detail": { - "properties": { - "browser": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operating_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "trust_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_interactive": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "processing_time_ms": { - "type": "float" - }, - "resource_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_level_aggregated": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_level_during_signin": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "properties": { - "error_code": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "token_issuer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "token_issuer_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subscription_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bucket_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cef": { - "properties": { - "device": { - "properties": { - "event_class_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extensions": { - "properties": { - "Reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentAddress": { - "type": "ip" - }, - "agentDnsDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentId": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentMacAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentNtDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentReceiptTime": { - "type": "date" - }, - "agentTimeZone": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentTranslatedAddress": { - "type": "ip" - }, - "agentTranslatedZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentTranslatedZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentType": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "agentZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "applicationProtocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "baseEventCount": { - "type": "long" - }, - "bytesIn": { - "type": "long" - }, - "bytesOut": { - "type": "long" - }, - "categoryBehavior": { - "ignore_above": 1024, - "type": "keyword" - }, - "categoryDeviceGroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "categoryDeviceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "categoryObject": { - "ignore_above": 1024, - "type": "keyword" - }, - "categoryOutcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "categorySignificance": { - "ignore_above": 1024, - "type": "keyword" - }, - "categoryTechnique": { - "ignore_above": 1024, - "type": "keyword" - }, - "cp_app_risk": { - "ignore_above": 1024, - "type": "keyword" - }, - "cp_severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "customerExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "customerURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationAddress": { - "type": "ip" - }, - "destinationDnsDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationGeoLatitude": { - "type": "double" - }, - "destinationGeoLongitude": { - "type": "double" - }, - "destinationHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationMacAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationNtDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationPort": { - "type": "long" - }, - "destinationProcessId": { - "type": "long" - }, - "destinationProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationTranslatedAddress": { - "type": "ip" - }, - "destinationTranslatedPort": { - "type": "long" - }, - "destinationTranslatedZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationTranslatedZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationUserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationUserPrivileges": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "destinationZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceAction": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceAddress": { - "type": "ip" - }, - "deviceCustomDate1": { - "type": "date" - }, - "deviceCustomDate1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomDate2": { - "type": "date" - }, - "deviceCustomDate2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomFloatingPoint1": { - "type": "double" - }, - "deviceCustomFloatingPoint1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomFloatingPoint2": { - "type": "double" - }, - "deviceCustomFloatingPoint2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomFloatingPoint3": { - "type": "double" - }, - "deviceCustomFloatingPoint3Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomFloatingPoint4": { - "type": "double" - }, - "deviceCustomFloatingPoint4Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomIPv6Address1": { - "type": "ip" - }, - "deviceCustomIPv6Address1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomIPv6Address2": { - "type": "ip" - }, - "deviceCustomIPv6Address2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomIPv6Address3": { - "type": "ip" - }, - "deviceCustomIPv6Address3Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomIPv6Address4": { - "type": "ip" - }, - "deviceCustomIPv6Address4Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomNumber1": { - "type": "long" - }, - "deviceCustomNumber1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomNumber2": { - "type": "long" - }, - "deviceCustomNumber2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomNumber3": { - "type": "long" - }, - "deviceCustomNumber3Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString1": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString2": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString3": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString3Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString4": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString4Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString5": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString5Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString6": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceCustomString6Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceDirection": { - "type": "long" - }, - "deviceDnsDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceEventCategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceExternalId": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceFacility": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceFlexNumber1": { - "type": "long" - }, - "deviceFlexNumber1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceFlexNumber2": { - "type": "long" - }, - "deviceFlexNumber2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceInboundInterface": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceMacAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceNtDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceOutboundInterface": { - "ignore_above": 1024, - "type": "keyword" - }, - "devicePayloadId": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceProcessId": { - "type": "long" - }, - "deviceProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceReceiptTime": { - "type": "date" - }, - "deviceTimeZone": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceTranslatedAddress": { - "type": "ip" - }, - "deviceTranslatedZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceTranslatedZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "endTime": { - "type": "date" - }, - "eventId": { - "type": "long" - }, - "eventOutcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "externalId": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileCreateTime": { - "type": "date" - }, - "fileHash": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileId": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileModificationTime": { - "type": "date" - }, - "filePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "filePermission": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileSize": { - "type": "long" - }, - "fileType": { - "ignore_above": 1024, - "type": "keyword" - }, - "filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "flexDate1": { - "type": "date" - }, - "flexDate1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "flexString1": { - "ignore_above": 1024, - "type": "keyword" - }, - "flexString1Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "flexString2": { - "ignore_above": 1024, - "type": "keyword" - }, - "flexString2Label": { - "ignore_above": 1024, - "type": "keyword" - }, - "ifname": { - "ignore_above": 1024, - "type": "keyword" - }, - "inzone": { - "ignore_above": 1024, - "type": "keyword" - }, - "layer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "layer_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "logid": { - "ignore_above": 1024, - "type": "keyword" - }, - "loguid": { - "ignore_above": 1024, - "type": "keyword" - }, - "managerReceiptTime": { - "type": "date" - }, - "match_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_addtnl_rulenum": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_rulenum": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldFileCreateTime": { - "type": "date" - }, - "oldFileHash": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldFileId": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldFileModificationTime": { - "type": "date" - }, - "oldFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldFilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldFilePermission": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldFileSize": { - "type": "long" - }, - "oldFileType": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "ignore_above": 1024, - "type": "keyword" - }, - "originsicname": { - "ignore_above": 1024, - "type": "keyword" - }, - "outzone": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_rule": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "rawEvent": { - "ignore_above": 1024, - "type": "keyword" - }, - "requestClientApplication": { - "ignore_above": 1024, - "type": "keyword" - }, - "requestContext": { - "ignore_above": 1024, - "type": "keyword" - }, - "requestCookies": { - "ignore_above": 1024, - "type": "keyword" - }, - "requestMethod": { - "ignore_above": 1024, - "type": "keyword" - }, - "requestUrl": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequencenum": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceAddress": { - "type": "ip" - }, - "sourceDnsDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceGeoLatitude": { - "type": "double" - }, - "sourceGeoLongitude": { - "type": "double" - }, - "sourceHostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceMacAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceNtDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourcePort": { - "type": "long" - }, - "sourceProcessId": { - "type": "long" - }, - "sourceProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceTranslatedAddress": { - "type": "ip" - }, - "sourceTranslatedPort": { - "type": "long" - }, - "sourceTranslatedZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceTranslatedZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceUserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceUserPrivileges": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceZoneExternalID": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceZoneURI": { - "ignore_above": 1024, - "type": "keyword" - }, - "startTime": { - "type": "date" - }, - "transportProtocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "type": "long" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "checkpoint": { - "properties": { - "action_reason": { - "type": "long" - }, - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "additional_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "additional_rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "allocated_ports": { - "type": "long" - }, - "analyzed_on": { - "ignore_above": 1024, - "type": "keyword" - }, - "answer_rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "anti_virus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "type": "long" - }, - "app_package": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_properties": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_repackaged": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_risk": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_sid_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "appi_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "arrival_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "attachments_num": { - "type": "long" - }, - "attack_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "authority_rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "authorization": { - "ignore_above": 1024, - "type": "keyword" - }, - "bcc": { - "ignore_above": 1024, - "type": "keyword" - }, - "blade_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "broker_publisher": { - "type": "ip" - }, - "browse_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "c_bytes": { - "type": "long" - }, - "calc_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "capacity": { - "type": "long" - }, - "capture_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cc": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_resource": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_validation": { - "ignore_above": 1024, - "type": "keyword" - }, - "cgnet": { - "ignore_above": 1024, - "type": "keyword" - }, - "chunk_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_type_os": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "community": { - "ignore_above": 1024, - "type": "keyword" - }, - "confidence_level": { - "type": "long" - }, - "connection_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "connectivity_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "connectivity_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "conns_amount": { - "type": "long" - }, - "content_disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_risk": { - "type": "long" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_num": { - "type": "long" - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookieI": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookieR": { - "ignore_above": 1024, - "type": "keyword" - }, - "cp_message": { - "type": "long" - }, - "cvpn_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvpn_resource": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_type_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dce-rpc_interface_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_object": { - "ignore_above": 1024, - "type": "keyword" - }, - "detected_on": { - "ignore_above": 1024, - "type": "keyword" - }, - "developer_certificate_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "diameter_app_ID": { - "type": "long" - }, - "diameter_cmd_code": { - "type": "long" - }, - "diameter_msg_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_action_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_additional_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_data_type_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_data_type_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_fingerprint_files_number": { - "type": "long" - }, - "dlp_fingerprint_long_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_fingerprint_short_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_incident_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_recipients": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_related_incident_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_relevant_data_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_repository_directories_number": { - "type": "long" - }, - "dlp_repository_files_number": { - "type": "long" - }, - "dlp_repository_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_repository_not_scanned_directories_percentage": { - "type": "long" - }, - "dlp_repository_reached_directories_number": { - "type": "long" - }, - "dlp_repository_root_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_repository_scan_progress": { - "type": "long" - }, - "dlp_repository_scanned_directories_number": { - "type": "long" - }, - "dlp_repository_scanned_files_number": { - "type": "long" - }, - "dlp_repository_scanned_total_size": { - "type": "long" - }, - "dlp_repository_skipped_files_number": { - "type": "long" - }, - "dlp_repository_total_size": { - "type": "long" - }, - "dlp_repository_unreachable_directories_number": { - "type": "long" - }, - "dlp_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_template_score": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_transint": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_violation_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_watermark_profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_word_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "drop_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_file_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_file_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_file_verdict": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_incoming": { - "type": "long" - }, - "dropped_outgoing": { - "type": "long" - }, - "dropped_total": { - "type": "long" - }, - "drops_amount": { - "type": "long" - }, - "dst_country": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_phone_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstkeyid": { - "ignore_above": 1024, - "type": "keyword" - }, - "duplicate": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "ignore_above": 1024, - "type": "keyword" - }, - "elapsed": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_content": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_control": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_control_analysis": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_headers": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_queue_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_queue_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_recipients_num": { - "type": "long" - }, - "email_session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_spam_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_spool_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "emulated_on": { - "ignore_above": 1024, - "type": "keyword" - }, - "encryption_failure": { - "ignore_above": 1024, - "type": "keyword" - }, - "end_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "end_user_firewall_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_access_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_associated_policies": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_noncompliance_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_rule_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_rule_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "esod_scan_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_count": { - "type": "long" - }, - "expire_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_file_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_file_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_file_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_file_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_file_verdict": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_impact": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "files_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "first_hit_time": { - "type": "long" - }, - "frequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "fs-proto": { - "ignore_above": 1024, - "type": "keyword" - }, - "ftp_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "fw_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "fw_subproduct": { - "ignore_above": 1024, - "type": "keyword" - }, - "hide_ip": { - "type": "ip" - }, - "hit": { - "type": "long" - }, - "host_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_location": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "https_inspection_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "https_inspection_rule_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "https_inspection_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "https_validation": { - "ignore_above": 1024, - "type": "keyword" - }, - "icap_more_info": { - "type": "long" - }, - "icap_server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "icap_server_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "icap_service_id": { - "type": "long" - }, - "icmp": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "id": { - "type": "long" - }, - "identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "ike": { - "ignore_above": 1024, - "type": "keyword" - }, - "ike_ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "impacted_files": { - "ignore_above": 1024, - "type": "keyword" - }, - "incident_extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "info": { - "ignore_above": 1024, - "type": "keyword" - }, - "information": { - "ignore_above": 1024, - "type": "keyword" - }, - "inspection_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "inspection_item": { - "ignore_above": 1024, - "type": "keyword" - }, - "inspection_profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "inspection_settings_log": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed_products": { - "ignore_above": 1024, - "type": "keyword" - }, - "int_end": { - "type": "long" - }, - "int_start": { - "type": "long" - }, - "integrity_av_invoke_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "internal_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "invalid_file_size": { - "type": "long" - }, - "ip_option": { - "type": "long" - }, - "isp_link": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_hit_time": { - "type": "long" - }, - "last_rematch_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "layer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "layer_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "limit_applied": { - "type": "long" - }, - "limit_requested": { - "type": "long" - }, - "link_probing_status_update": { - "ignore_above": 1024, - "type": "keyword" - }, - "links_num": { - "type": "long" - }, - "log_delay": { - "type": "long" - }, - "log_id": { - "type": "long" - }, - "logid": { - "ignore_above": 1024, - "type": "keyword" - }, - "long_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware_family": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_fk": { - "type": "long" - }, - "match_id": { - "type": "long" - }, - "matched_file": { - "ignore_above": 1024, - "type": "keyword" - }, - "matched_file_percentage": { - "type": "long" - }, - "matched_file_text_segments": { - "type": "long" - }, - "media_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_size": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "methods": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "mirror_and_decrypt_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_collection": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_command_and_control": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_credential_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_defense_evasion": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_discovery": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_exfiltration": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_impact": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_initial_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_lateral_movement": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_persistence": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_privilege_escalation": { - "ignore_above": 1024, - "type": "keyword" - }, - "monitor_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat46": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_addtnl_rulenum": { - "type": "long" - }, - "nat_exhausted_pool": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_rulenum": { - "type": "long" - }, - "needs_browse_time": { - "type": "long" - }, - "next_hop_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "next_scheduled_scan_date": { - "ignore_above": 1024, - "type": "keyword" - }, - "number_of_errors": { - "type": "long" - }, - "objecttable": { - "ignore_above": 1024, - "type": "keyword" - }, - "objecttype": { - "ignore_above": 1024, - "type": "keyword" - }, - "observable_comment": { - "ignore_above": 1024, - "type": "keyword" - }, - "observable_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "observable_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_sic_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_queue_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "outgoing_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_amount": { - "type": "long" - }, - "packet_capture_unique_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_file_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_file_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_process_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_rule": { - "type": "long" - }, - "peer_gateway": { - "type": "ip" - }, - "peer_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_ip_probing_status_update": { - "ignore_above": 1024, - "type": "keyword" - }, - "performance_impact": { - "type": "long" - }, - "policy_mgmt": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ports_usage": { - "type": "long" - }, - "ppp": { - "ignore_above": 1024, - "type": "keyword" - }, - "precise_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "process_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "ignore_above": 1024, - "type": "keyword" - }, - "protection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protection_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "protection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy_machine_name": { - "type": "long" - }, - "proxy_src_ip": { - "type": "ip" - }, - "proxy_user_dn": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy_user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "question_rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer_parent_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer_self_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_ip-phones": { - "ignore_above": 1024, - "type": "keyword" - }, - "reject_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "reject_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "rematch_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediated_files": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_status": { - "type": "long" - }, - "risk": { - "ignore_above": 1024, - "type": "keyword" - }, - "rpc_prog": { - "type": "long" - }, - "rule": { - "type": "long" - }, - "rule_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "rulebase_id": { - "type": "long" - }, - "scan_direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "scan_hosts_day": { - "type": "long" - }, - "scan_hosts_hour": { - "type": "long" - }, - "scan_hosts_week": { - "type": "long" - }, - "scan_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scan_mail": { - "type": "long" - }, - "scan_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "scan_results": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "scrub_activity": { - "ignore_above": 1024, - "type": "keyword" - }, - "scrub_download_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "scrub_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "scrub_total_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "scrubbed_content": { - "ignore_above": 1024, - "type": "keyword" - }, - "sctp_association_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "sctp_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "scv_message_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "scv_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "securexl_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "sensor_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "short_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "similar_communication": { - "ignore_above": 1024, - "type": "keyword" - }, - "similar_hashes": { - "ignore_above": 1024, - "type": "keyword" - }, - "similar_strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "similiar_iocs": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "site_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_object": { - "type": "long" - }, - "source_os": { - "ignore_above": 1024, - "type": "keyword" - }, - "special_properties": { - "type": "long" - }, - "specific_data_type_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "spyware_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "spyware_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "spyware_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_country": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_phone_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_user_dn": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "srckeyid": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_update": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_policy_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subs_exp": { - "type": "date" - }, - "subscriber": { - "type": "ip" - }, - "summary": { - "ignore_above": 1024, - "type": "keyword" - }, - "suppressed_logs": { - "type": "long" - }, - "sync": { - "ignore_above": 1024, - "type": "keyword" - }, - "sys_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_end_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_packet_out_of_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "te_verdict_determined_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "termination_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ticket_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls_server_host_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_archive_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_attachments": { - "type": "long" - }, - "triggered_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "unique_detected_day": { - "type": "long" - }, - "unique_detected_hour": { - "type": "long" - }, - "unique_detected_week": { - "type": "long" - }, - "update_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "verdict": { - "ignore_above": 1024, - "type": "keyword" - }, - "via": { - "ignore_above": 1024, - "type": "keyword" - }, - "virus_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_attach_action_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_attach_sz": { - "type": "long" - }, - "voip_call_dir": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_call_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_call_term_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_config": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_duration": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_est_codec": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_exp": { - "type": "long" - }, - "voip_from_user_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_log_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_media_codec": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_media_ipp": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_media_port": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_reason_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_reg_int": { - "type": "long" - }, - "voip_reg_ipp": { - "type": "long" - }, - "voip_reg_period": { - "type": "long" - }, - "voip_reg_server": { - "type": "ip" - }, - "voip_reg_user_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_reject_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_to_user_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpn_feature_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "watermark": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_server_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "word_list": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cisco": { - "properties": { - "amp": { - "properties": { - "cloud_ioc": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "short_description": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "computer": { - "properties": { - "active": { - "type": "boolean" - }, - "connector_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "external_ip": { - "type": "ip" - }, - "network_addresses": { - "type": "flattened" - } - } - }, - "connector_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "detection": { - "ignore_above": 1024, - "type": "keyword" - }, - "detection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event_type_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "archived_file": { - "properties": { - "disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "identify": { - "properties": { - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "identity": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "attack_details": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "attacked_module": { - "ignore_above": 1024, - "type": "keyword" - }, - "base_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicators": { - "type": "flattened" - }, - "suspicious_files": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "disposition": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "group_guids": { - "ignore_above": 1024, - "type": "keyword" - }, - "network_info": { - "properties": { - "disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "nfm": { - "properties": { - "direction": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "parent": { - "properties": { - "disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "identify": { - "properties": { - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "identity": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "related": { - "properties": { - "cve": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "clean": { - "type": "boolean" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "malicious_detections": { - "type": "long" - }, - "scanned_files": { - "type": "long" - }, - "scanned_paths": { - "type": "long" - }, - "scanned_processes": { - "type": "long" - } - } - }, - "tactics": { - "type": "flattened" - }, - "techniques": { - "type": "flattened" - }, - "threat_hunting": { - "properties": { - "incident_end_time": { - "type": "date" - }, - "incident_hunt_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "incident_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "incident_remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "incident_report_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "incident_start_time": { - "type": "date" - }, - "incident_summary": { - "ignore_above": 1024, - "type": "keyword" - }, - "incident_title": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactics": { - "type": "flattened" - }, - "techniques": { - "type": "flattened" - } - } - }, - "timestamp_nanoseconds": { - "type": "date" - }, - "vulnerabilities": { - "type": "flattened" - } - } - }, - "asa": { - "properties": { - "assigned_ip": { - "type": "ip" - }, - "burst": { - "properties": { - "avg_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "configured_avg_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "configured_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "cumulative_count": { - "ignore_above": 1024, - "type": "keyword" - }, - "current_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "object": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line_arguments": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dap_records": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "type": "short" - }, - "icmp_type": { - "type": "short" - }, - "mapped_destination_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_destination_ip": { - "type": "ip" - }, - "mapped_destination_port": { - "type": "long" - }, - "mapped_source_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_source_ip": { - "type": "ip" - }, - "mapped_source_port": { - "type": "long" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "privilege": { - "properties": { - "new": { - "ignore_above": 1024, - "type": "keyword" - }, - "old": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "suffix": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ftd": { - "properties": { - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dap_records": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "type": "short" - }, - "icmp_type": { - "type": "short" - }, - "mapped_destination_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_destination_ip": { - "type": "ip" - }, - "mapped_destination_port": { - "type": "long" - }, - "mapped_source_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_source_ip": { - "type": "ip" - }, - "mapped_source_port": { - "type": "long" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "security": { - "type": "object" - }, - "source_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "suffix": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_level": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ios": { - "properties": { - "access_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "umbrella": { - "properties": { - "amp_disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "amp_malware_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "amp_score": { - "ignore_above": 1024, - "type": "keyword" - }, - "av_detections": { - "ignore_above": 1024, - "type": "keyword" - }, - "blocked_categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "datacenter": { - "ignore_above": 1024, - "type": "keyword" - }, - "identities": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "puas": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha_sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "container": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "coredns": { - "properties": { - "dnssec_ok": { - "type": "boolean" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - } - } - }, - "crowdstrike": { - "properties": { - "event": { - "properties": { - "AuditKeyValues": { - "type": "nested" - }, - "CommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "Commands": { - "ignore_above": 1024, - "type": "keyword" - }, - "ComputerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ConnectionDirection": { - "ignore_above": 1024, - "type": "keyword" - }, - "CustomerId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DetectDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "DetectId": { - "ignore_above": 1024, - "type": "keyword" - }, - "DetectName": { - "ignore_above": 1024, - "type": "keyword" - }, - "DeviceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "EndTimestamp": { - "type": "date" - }, - "EventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExecutablesWritten": { - "type": "nested" - }, - "FalconHostLink": { - "ignore_above": 1024, - "type": "keyword" - }, - "FileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "FilePath": { - "ignore_above": 1024, - "type": "keyword" - }, - "FineScore": { - "type": "float" - }, - "Flags": { - "properties": { - "Audit": { - "type": "boolean" - }, - "Log": { - "type": "boolean" - }, - "Monitor": { - "type": "boolean" - } - } - }, - "GrandparentCommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "GrandparentImageFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "HostName": { - "ignore_above": 1024, - "type": "keyword" - }, - "HostnameField": { - "ignore_above": 1024, - "type": "keyword" - }, - "ICMPCode": { - "ignore_above": 1024, - "type": "keyword" - }, - "ICMPType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IOCType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IOCValue": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImageFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "IncidentEndTime": { - "type": "date" - }, - "IncidentStartTime": { - "type": "date" - }, - "Ipv": { - "ignore_above": 1024, - "type": "keyword" - }, - "LateralMovement": { - "type": "long" - }, - "LocalAddress": { - "type": "ip" - }, - "LocalIP": { - "ignore_above": 1024, - "type": "keyword" - }, - "LocalPort": { - "type": "long" - }, - "MACAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "MD5String": { - "ignore_above": 1024, - "type": "keyword" - }, - "MachineDomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "MatchCount": { - "type": "long" - }, - "MatchCountSinceLastReport": { - "type": "long" - }, - "NetworkProfile": { - "ignore_above": 1024, - "type": "keyword" - }, - "Objective": { - "ignore_above": 1024, - "type": "keyword" - }, - "OperationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "PID": { - "type": "long" - }, - "ParentCommandLine": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentImageFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ParentProcessId": { - "type": "long" - }, - "PatternDispositionDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "PatternDispositionFlags": { - "type": "object" - }, - "PatternDispositionValue": { - "type": "long" - }, - "PolicyID": { - "ignore_above": 1024, - "type": "keyword" - }, - "PolicyName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessEndTime": { - "type": "date" - }, - "ProcessId": { - "type": "long" - }, - "ProcessStartTime": { - "type": "date" - }, - "Protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "RemoteAddress": { - "type": "ip" - }, - "RemotePort": { - "type": "long" - }, - "RuleAction": { - "ignore_above": 1024, - "type": "keyword" - }, - "RuleDescription": { - "ignore_above": 1024, - "type": "keyword" - }, - "RuleFamilyID": { - "ignore_above": 1024, - "type": "keyword" - }, - "RuleGroupName": { - "ignore_above": 1024, - "type": "keyword" - }, - "RuleId": { - "ignore_above": 1024, - "type": "keyword" - }, - "RuleName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SHA1String": { - "ignore_above": 1024, - "type": "keyword" - }, - "SHA256String": { - "ignore_above": 1024, - "type": "keyword" - }, - "SensorId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ServiceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Severity": { - "type": "long" - }, - "SeverityName": { - "ignore_above": 1024, - "type": "keyword" - }, - "StartTimestamp": { - "type": "date" - }, - "State": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "Success": { - "type": "boolean" - }, - "Tactic": { - "ignore_above": 1024, - "type": "keyword" - }, - "Technique": { - "ignore_above": 1024, - "type": "keyword" - }, - "Timestamp": { - "type": "date" - }, - "TreeID": { - "ignore_above": 1024, - "type": "keyword" - }, - "UTCTimestamp": { - "type": "date" - }, - "UserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserIp": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserName": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "metadata": { - "properties": { - "customerIDString": { - "ignore_above": 1024, - "type": "keyword" - }, - "eventCreationTime": { - "type": "date" - }, - "eventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "docker": { - "properties": { - "attrs": { - "type": "object" - }, - "container": { - "properties": { - "labels": { - "type": "object" - } - } - } - } - }, - "ecs": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elasticsearch": { - "properties": { - "audit": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "indices": { - "ignore_above": 1024, - "type": "keyword" - }, - "invalidate": { - "properties": { - "apikeys": { - "properties": { - "owned_by_authenticated_user": { - "type": "boolean" - } - } - } - } - }, - "layer": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "origin": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "params": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "run_as": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "realm": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, - "gc": { - "properties": { - "heap": { - "properties": { - "size_kb": { - "type": "long" - }, - "used_kb": { - "type": "long" - } - } - }, - "jvm_runtime_sec": { - "type": "float" - }, - "old_gen": { - "properties": { - "size_kb": { - "type": "long" - }, - "used_kb": { - "type": "long" - } - } - }, - "phase": { - "properties": { - "class_unload_time_sec": { - "type": "float" - }, - "cpu_time": { - "properties": { - "real_sec": { - "type": "float" - }, - "sys_sec": { - "type": "float" - }, - "user_sec": { - "type": "float" - } - } - }, - "duration_sec": { - "type": "float" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parallel_rescan_time_sec": { - "type": "float" - }, - "scrub_string_table_time_sec": { - "type": "float" - }, - "scrub_symbol_table_time_sec": { - "type": "float" - }, - "weak_refs_processing_time_sec": { - "type": "float" - } - } - }, - "stopping_threads_time_sec": { - "type": "float" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "threads_total_stop_time_sec": { - "type": "float" - }, - "young_gen": { - "properties": { - "size_kb": { - "type": "long" - }, - "used_kb": { - "type": "long" - } - } - } - } - }, - "index": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "node": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "gc": { - "properties": { - "collection_duration": { - "properties": { - "ms": { - "type": "float" - } - } - }, - "observation_duration": { - "properties": { - "ms": { - "type": "float" - } - } - }, - "overhead_seq": { - "type": "long" - }, - "young": { - "properties": { - "one": { - "type": "long" - }, - "two": { - "type": "long" - } - } - } - } - }, - "stacktrace": { - "ignore_above": 1024, - "index": false, - "type": "keyword" - } - } - }, - "shard": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "extra_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "routing": { - "ignore_above": 1024, - "type": "keyword" - }, - "search_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "stats": { - "ignore_above": 1024, - "type": "keyword" - }, - "took": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_hits": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_shards": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "types": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "envoyproxy": { - "properties": { - "authority": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "response_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "upstream_service_time": { - "type": "long" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - }, - "stack_trace": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fields": { - "type": "object" - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "fileset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "forcepoint": { - "properties": { - "virus_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fortinet": { - "properties": { - "file": { - "properties": { - "hash": { - "properties": { - "crc32": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "firewall": { - "properties": { - "acct_stat": { - "ignore_above": 1024, - "type": "keyword" - }, - "acktime": { - "ignore_above": 1024, - "type": "keyword" - }, - "act": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity": { - "ignore_above": 1024, - "type": "keyword" - }, - "addr": { - "type": "ip" - }, - "addr_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "addrgrp": { - "ignore_above": 1024, - "type": "keyword" - }, - "adgroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "admin": { - "ignore_above": 1024, - "type": "keyword" - }, - "age": { - "type": "long" - }, - "agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "alarmid": { - "type": "long" - }, - "alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "analyticscksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "analyticssubmit": { - "ignore_above": 1024, - "type": "keyword" - }, - "ap": { - "ignore_above": 1024, - "type": "keyword" - }, - "app-type": { - "ignore_above": 1024, - "type": "keyword" - }, - "appact": { - "ignore_above": 1024, - "type": "keyword" - }, - "appid": { - "type": "long" - }, - "applist": { - "ignore_above": 1024, - "type": "keyword" - }, - "apprisk": { - "ignore_above": 1024, - "type": "keyword" - }, - "apscan": { - "ignore_above": 1024, - "type": "keyword" - }, - "apsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "apstatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "aptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "assigned": { - "type": "ip" - }, - "assignip": { - "type": "ip" - }, - "attachment": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack": { - "ignore_above": 1024, - "type": "keyword" - }, - "attackcontext": { - "ignore_above": 1024, - "type": "keyword" - }, - "attackcontextid": { - "ignore_above": 1024, - "type": "keyword" - }, - "attackid": { - "type": "long" - }, - "auditid": { - "type": "long" - }, - "auditscore": { - "ignore_above": 1024, - "type": "keyword" - }, - "audittime": { - "type": "long" - }, - "authgrp": { - "ignore_above": 1024, - "type": "keyword" - }, - "authid": { - "ignore_above": 1024, - "type": "keyword" - }, - "authproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "authserver": { - "ignore_above": 1024, - "type": "keyword" - }, - "bandwidth": { - "ignore_above": 1024, - "type": "keyword" - }, - "banned_rule": { - "ignore_above": 1024, - "type": "keyword" - }, - "banned_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "banword": { - "ignore_above": 1024, - "type": "keyword" - }, - "botnetdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "botnetip": { - "type": "ip" - }, - "bssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "carrier_ep": { - "ignore_above": 1024, - "type": "keyword" - }, - "cat": { - "type": "long" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cc": { - "ignore_above": 1024, - "type": "keyword" - }, - "cdrcontent": { - "ignore_above": 1024, - "type": "keyword" - }, - "centralnatid": { - "type": "long" - }, - "cert": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert-type": { - "ignore_above": 1024, - "type": "keyword" - }, - "certhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgattr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgobj": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgpath": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgtid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgtxpower": { - "type": "long" - }, - "channel": { - "type": "long" - }, - "channeltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "chassisid": { - "type": "long" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "chgheaders": { - "ignore_above": 1024, - "type": "keyword" - }, - "cldobjid": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudaction": { - "ignore_above": 1024, - "type": "keyword" - }, - "clouduser": { - "ignore_above": 1024, - "type": "keyword" - }, - "column": { - "type": "long" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "community": { - "ignore_above": 1024, - "type": "keyword" - }, - "configcountry": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "conserve": { - "ignore_above": 1024, - "type": "keyword" - }, - "constraint": { - "ignore_above": 1024, - "type": "keyword" - }, - "contentdisarmed": { - "ignore_above": 1024, - "type": "keyword" - }, - "contenttype": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookies": { - "ignore_above": 1024, - "type": "keyword" - }, - "count": { - "type": "long" - }, - "countapp": { - "type": "long" - }, - "countav": { - "type": "long" - }, - "countcifs": { - "type": "long" - }, - "countdlp": { - "type": "long" - }, - "countdns": { - "type": "long" - }, - "countemail": { - "type": "long" - }, - "countff": { - "type": "long" - }, - "countips": { - "type": "long" - }, - "countssh": { - "type": "long" - }, - "countssl": { - "type": "long" - }, - "countwaf": { - "type": "long" - }, - "countweb": { - "type": "long" - }, - "cpu": { - "type": "long" - }, - "craction": { - "type": "long" - }, - "criticalcount": { - "type": "long" - }, - "crl": { - "ignore_above": 1024, - "type": "keyword" - }, - "crlevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "crscore": { - "type": "long" - }, - "cveid": { - "ignore_above": 1024, - "type": "keyword" - }, - "daemon": { - "ignore_above": 1024, - "type": "keyword" - }, - "datarange": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "ignore_above": 1024, - "type": "keyword" - }, - "ddnsserver": { - "type": "ip" - }, - "desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "detectionmethod": { - "ignore_above": 1024, - "type": "keyword" - }, - "devcategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "devintfname": { - "ignore_above": 1024, - "type": "keyword" - }, - "devtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "dintf": { - "ignore_above": 1024, - "type": "keyword" - }, - "disk": { - "ignore_above": 1024, - "type": "keyword" - }, - "disklograte": { - "type": "long" - }, - "dlpextra": { - "ignore_above": 1024, - "type": "keyword" - }, - "docsource": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainctrlauthstate": { - "type": "long" - }, - "domainctrlauthtype": { - "type": "long" - }, - "domainctrldomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainctrlip": { - "type": "ip" - }, - "domainctrlname": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainctrlprotocoltype": { - "type": "long" - }, - "domainctrlusername": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainfilteridx": { - "type": "long" - }, - "domainfilterlist": { - "ignore_above": 1024, - "type": "keyword" - }, - "ds": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_int": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstcountry": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstdevcategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstdevtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstfamily": { - "ignore_above": 1024, - "type": "keyword" - }, - "dsthwvendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "dsthwversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstinetsvc": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstintfrole": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstosname": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstosversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstserver": { - "type": "long" - }, - "dstssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstswversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstunauthusersource": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstuuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "duid": { - "ignore_above": 1024, - "type": "keyword" - }, - "eapolcnt": { - "type": "long" - }, - "eapoltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "encrypt": { - "type": "long" - }, - "encryption": { - "ignore_above": 1024, - "type": "keyword" - }, - "epoch": { - "type": "long" - }, - "espauth": { - "ignore_above": 1024, - "type": "keyword" - }, - "esptransform": { - "ignore_above": 1024, - "type": "keyword" - }, - "exch": { - "ignore_above": 1024, - "type": "keyword" - }, - "exchange": { - "ignore_above": 1024, - "type": "keyword" - }, - "expectedsignature": { - "ignore_above": 1024, - "type": "keyword" - }, - "expiry": { - "ignore_above": 1024, - "type": "keyword" - }, - "fams_pause": { - "type": "long" - }, - "fazlograte": { - "type": "long" - }, - "fctemssn": { - "ignore_above": 1024, - "type": "keyword" - }, - "fctuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "filefilter": { - "ignore_above": 1024, - "type": "keyword" - }, - "filehashsrc": { - "ignore_above": 1024, - "type": "keyword" - }, - "filtercat": { - "ignore_above": 1024, - "type": "keyword" - }, - "filteridx": { - "type": "long" - }, - "filtername": { - "ignore_above": 1024, - "type": "keyword" - }, - "filtertype": { - "ignore_above": 1024, - "type": "keyword" - }, - "fortiguardresp": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwardedfor": { - "ignore_above": 1024, - "type": "keyword" - }, - "fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "frametype": { - "ignore_above": 1024, - "type": "keyword" - }, - "freediskstorage": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "from_vcluster": { - "type": "long" - }, - "fsaverdict": { - "ignore_above": 1024, - "type": "keyword" - }, - "fwserver_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gateway": { - "type": "ip" - }, - "green": { - "ignore_above": 1024, - "type": "keyword" - }, - "groupid": { - "type": "long" - }, - "ha-prio": { - "type": "long" - }, - "ha_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "ha_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "handshake": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hbdn_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "highcount": { - "type": "long" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "iaid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmpcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmpid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "type": "long" - }, - "in_spi": { - "ignore_above": 1024, - "type": "keyword" - }, - "incidentserialno": { - "type": "long" - }, - "infected": { - "type": "long" - }, - "infectedfilelevel": { - "type": "long" - }, - "informationsource": { - "ignore_above": 1024, - "type": "keyword" - }, - "init": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiator": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "intf": { - "ignore_above": 1024, - "type": "keyword" - }, - "invalidmac": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "iptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "keyword": { - "ignore_above": 1024, - "type": "keyword" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "lanin": { - "type": "long" - }, - "lanout": { - "type": "long" - }, - "lease": { - "type": "long" - }, - "license_limit": { - "ignore_above": 1024, - "type": "keyword" - }, - "limit": { - "type": "long" - }, - "line": { - "ignore_above": 1024, - "type": "keyword" - }, - "live": { - "type": "long" - }, - "local": { - "type": "ip" - }, - "log": { - "ignore_above": 1024, - "type": "keyword" - }, - "login": { - "ignore_above": 1024, - "type": "keyword" - }, - "lowcount": { - "type": "long" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "malform_data": { - "type": "long" - }, - "malform_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "manuf": { - "ignore_above": 1024, - "type": "keyword" - }, - "masterdstmac": { - "ignore_above": 1024, - "type": "keyword" - }, - "mastersrcmac": { - "ignore_above": 1024, - "type": "keyword" - }, - "mediumcount": { - "type": "long" - }, - "mem": { - "type": "long" - }, - "meshmode": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mgmtcnt": { - "type": "long" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "monitor-name": { - "ignore_above": 1024, - "type": "keyword" - }, - "monitor-type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mpsk": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "ignore_above": 1024, - "type": "keyword" - }, - "netid": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "newchannel": { - "type": "long" - }, - "newchassisid": { - "type": "long" - }, - "newslot": { - "type": "long" - }, - "nextstat": { - "type": "long" - }, - "nf_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "noise": { - "type": "long" - }, - "old_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldchannel": { - "type": "long" - }, - "oldchassisid": { - "type": "long" - }, - "oldslot": { - "type": "long" - }, - "oldsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldwprof": { - "ignore_above": 1024, - "type": "keyword" - }, - "onwire": { - "ignore_above": 1024, - "type": "keyword" - }, - "opercountry": { - "ignore_above": 1024, - "type": "keyword" - }, - "opertxpower": { - "type": "long" - }, - "osname": { - "ignore_above": 1024, - "type": "keyword" - }, - "osversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "out_spi": { - "ignore_above": 1024, - "type": "keyword" - }, - "outintf": { - "ignore_above": 1024, - "type": "keyword" - }, - "passedcount": { - "type": "long" - }, - "passwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_notif": { - "ignore_above": 1024, - "type": "keyword" - }, - "phase2_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "phone": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "policytype": { - "ignore_above": 1024, - "type": "keyword" - }, - "poolname": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "portbegin": { - "type": "long" - }, - "portend": { - "type": "long" - }, - "probeproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "processtime": { - "type": "long" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile_vd": { - "ignore_above": 1024, - "type": "keyword" - }, - "profilegroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "profiletype": { - "ignore_above": 1024, - "type": "keyword" - }, - "qtypeval": { - "type": "long" - }, - "quarskip": { - "ignore_above": 1024, - "type": "keyword" - }, - "quotaexceeded": { - "ignore_above": 1024, - "type": "keyword" - }, - "quotamax": { - "type": "long" - }, - "quotatype": { - "ignore_above": 1024, - "type": "keyword" - }, - "quotaused": { - "type": "long" - }, - "radioband": { - "ignore_above": 1024, - "type": "keyword" - }, - "radioid": { - "type": "long" - }, - "radioidclosest": { - "type": "long" - }, - "radioiddetected": { - "type": "long" - }, - "rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "rawdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "rawdataid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcvddelta": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "received": { - "type": "long" - }, - "receivedsignature": { - "ignore_above": 1024, - "type": "keyword" - }, - "red": { - "ignore_above": 1024, - "type": "keyword" - }, - "referralurl": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote": { - "type": "ip" - }, - "remotewtptime": { - "ignore_above": 1024, - "type": "keyword" - }, - "reporttype": { - "ignore_above": 1024, - "type": "keyword" - }, - "reqtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "rssi": { - "type": "long" - }, - "rsso_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruledata": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruletype": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanned": { - "type": "long" - }, - "scantime": { - "type": "long" - }, - "scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "security": { - "ignore_above": 1024, - "type": "keyword" - }, - "sensitivity": { - "ignore_above": 1024, - "type": "keyword" - }, - "sensor": { - "ignore_above": 1024, - "type": "keyword" - }, - "sentdelta": { - "ignore_above": 1024, - "type": "keyword" - }, - "seq": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "serialno": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sessionid": { - "type": "long" - }, - "setuprate": { - "type": "long" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "shaperdroprcvdbyte": { - "type": "long" - }, - "shaperdropsentbyte": { - "type": "long" - }, - "shaperperipdropbyte": { - "type": "long" - }, - "shaperperipname": { - "ignore_above": 1024, - "type": "keyword" - }, - "shaperrcvdname": { - "ignore_above": 1024, - "type": "keyword" - }, - "shapersentname": { - "ignore_above": 1024, - "type": "keyword" - }, - "shapingpolicyid": { - "type": "long" - }, - "signal": { - "type": "long" - }, - "size": { - "type": "long" - }, - "slot": { - "type": "long" - }, - "sn": { - "ignore_above": 1024, - "type": "keyword" - }, - "snclosest": { - "ignore_above": 1024, - "type": "keyword" - }, - "sndetected": { - "ignore_above": 1024, - "type": "keyword" - }, - "snmeshparent": { - "ignore_above": 1024, - "type": "keyword" - }, - "spi": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_int": { - "ignore_above": 1024, - "type": "keyword" - }, - "srccountry": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcfamily": { - "ignore_above": 1024, - "type": "keyword" - }, - "srchwvendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "srchwversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcinetsvc": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcintfrole": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcname": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcserver": { - "type": "long" - }, - "srcssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcswversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcuuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sscname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sslaction": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssllocal": { - "ignore_above": 1024, - "type": "keyword" - }, - "sslremote": { - "ignore_above": 1024, - "type": "keyword" - }, - "stacount": { - "type": "long" - }, - "stage": { - "ignore_above": 1024, - "type": "keyword" - }, - "stamac": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "stitch": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "submodule": { - "ignore_above": 1024, - "type": "keyword" - }, - "subservice": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "suspicious": { - "type": "long" - }, - "switchproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "sync_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "sync_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sysuptime": { - "ignore_above": 1024, - "type": "keyword" - }, - "tamac": { - "ignore_above": 1024, - "type": "keyword" - }, - "threattype": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - }, - "to_vcluster": { - "type": "long" - }, - "total": { - "type": "long" - }, - "totalsession": { - "type": "long" - }, - "trace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "trandisp": { - "ignore_above": 1024, - "type": "keyword" - }, - "transid": { - "type": "long" - }, - "translationid": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "ignore_above": 1024, - "type": "keyword" - }, - "trueclntip": { - "type": "ip" - }, - "tunnelid": { - "type": "long" - }, - "tunnelip": { - "type": "ip" - }, - "tunneltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "ui": { - "ignore_above": 1024, - "type": "keyword" - }, - "unauthusersource": { - "ignore_above": 1024, - "type": "keyword" - }, - "unit": { - "type": "long" - }, - "urlfilteridx": { - "type": "long" - }, - "urlfilterlist": { - "ignore_above": 1024, - "type": "keyword" - }, - "urlsource": { - "ignore_above": 1024, - "type": "keyword" - }, - "urltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "used": { - "type": "long" - }, - "used_for_type": { - "type": "long" - }, - "utmaction": { - "ignore_above": 1024, - "type": "keyword" - }, - "vap": { - "ignore_above": 1024, - "type": "keyword" - }, - "vapmode": { - "ignore_above": 1024, - "type": "keyword" - }, - "vcluster": { - "type": "long" - }, - "vcluster_member": { - "type": "long" - }, - "vcluster_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "vd": { - "ignore_above": 1024, - "type": "keyword" - }, - "vdname": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendorurl": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "vip": { - "ignore_above": 1024, - "type": "keyword" - }, - "virus": { - "ignore_above": 1024, - "type": "keyword" - }, - "virusid": { - "type": "long" - }, - "voip_proto": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpn": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpntunnel": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpntype": { - "ignore_above": 1024, - "type": "keyword" - }, - "vrf": { - "type": "long" - }, - "vulncat": { - "ignore_above": 1024, - "type": "keyword" - }, - "vulnid": { - "type": "long" - }, - "vulnname": { - "ignore_above": 1024, - "type": "keyword" - }, - "vwlid": { - "type": "long" - }, - "vwlquality": { - "ignore_above": 1024, - "type": "keyword" - }, - "vwlservice": { - "ignore_above": 1024, - "type": "keyword" - }, - "vwpvlanid": { - "type": "long" - }, - "wanin": { - "type": "long" - }, - "wanoptapptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "wanout": { - "type": "long" - }, - "weakwepiv": { - "ignore_above": 1024, - "type": "keyword" - }, - "xauthgroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "xauthuser": { - "ignore_above": 1024, - "type": "keyword" - }, - "xid": { - "type": "long" - } - } - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "google_workspace": { - "properties": { - "actor": { - "properties": { - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "admin": { - "properties": { - "alert": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "api": { - "properties": { - "client": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scopes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "application": { - "properties": { - "asp_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "edition": { - "ignore_above": 1024, - "type": "keyword" - }, - "enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "licences_order_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "licences_purchased": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "package_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bulk_upload": { - "properties": { - "failed": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "chrome_licenses": { - "properties": { - "allowed": { - "ignore_above": 1024, - "type": "keyword" - }, - "enabled": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "chrome_os": { - "properties": { - "session_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "device": { - "properties": { - "command_details": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "distribution": { - "properties": { - "entity": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "domain": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "secondary_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "log_search_filter": { - "properties": { - "end_date": { - "type": "date" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "recipient": { - "properties": { - "ip": { - "type": "ip" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "ip": { - "type": "ip" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start_date": { - "type": "date" - } - } - }, - "quarantine_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email_dump": { - "properties": { - "include_deleted": { - "type": "boolean" - }, - "package_content": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email_monitor": { - "properties": { - "dest_email": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "properties": { - "chat": { - "ignore_above": 1024, - "type": "keyword" - }, - "draft": { - "ignore_above": 1024, - "type": "keyword" - }, - "incoming": { - "ignore_above": 1024, - "type": "keyword" - }, - "outgoing": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "gateway": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "allowed_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "priorities": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "info_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "managed_configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "mdm": { - "properties": { - "token": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mobile": { - "properties": { - "action": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "certificate": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "company_owned_devices": { - "type": "long" - } - } - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "non_featured_services_selection": { - "ignore_above": 1024, - "type": "keyword" - }, - "oauth2": { - "properties": { - "application": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "org_unit": { - "properties": { - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "print_server": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "printer": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "privilege": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sku": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "role": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "setting": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "birthdate": { - "type": "date" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "nickname": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_defined_setting": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "verification_method": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "drive": { - "properties": { - "added_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "billable": { - "type": "boolean" - }, - "destination_folder_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_folder_title": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_shared_drive": { - "type": "boolean" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "membership_change_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_visibility": { - "ignore_above": 1024, - "type": "keyword" - }, - "originating_app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "primary_event": { - "type": "boolean" - }, - "removed_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "shared_drive_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "shared_drive_settings_change_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sheets_import_range_recipient_doc": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_folder_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_folder_title": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "visibility": { - "ignore_above": 1024, - "type": "keyword" - }, - "visibility_change": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "groups": { - "properties": { - "acl_permission": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "member": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "moderation_action": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "setting": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "login": { - "properties": { - "affected_email_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "challenge_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_second_factor": { - "type": "boolean" - }, - "is_suspicious": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saml": { - "properties": { - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiated_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "orgunit_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "second_level_status_code": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - } - } - }, - "googlecloud": { - "properties": { - "audit": { - "properties": { - "authentication_info": { - "properties": { - "authority_selector": { - "ignore_above": 1024, - "type": "keyword" - }, - "principal_email": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "method_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "num_response_items": { - "type": "long" - }, - "request": { - "properties": { - "filter": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "proto_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request_metadata": { - "properties": { - "caller_ip": { - "type": "ip" - }, - "caller_supplied_user_agent": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource_location": { - "properties": { - "current_locations": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "properties": { - "details": { - "properties": { - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "proto_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "properties": { - "code": { - "type": "long" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "instance": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpc": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnetwork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "firewall": { - "properties": { - "rule_details": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_range": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_range": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_service_account": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_service_account": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "instance": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpc": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnetwork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "vpcflow": { - "properties": { - "reporter": { - "ignore_above": 1024, - "type": "keyword" - }, - "rtt": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "gsuite": { - "properties": { - "actor": { - "properties": { - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "admin": { - "properties": { - "alert": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "api": { - "properties": { - "client": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scopes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "application": { - "properties": { - "asp_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "edition": { - "ignore_above": 1024, - "type": "keyword" - }, - "enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "licences_order_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "licences_purchased": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "package_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bulk_upload": { - "properties": { - "failed": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "chrome_licenses": { - "properties": { - "allowed": { - "ignore_above": 1024, - "type": "keyword" - }, - "enabled": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "chrome_os": { - "properties": { - "session_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "device": { - "properties": { - "command_details": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "distribution": { - "properties": { - "entity": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "domain": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "secondary_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "log_search_filter": { - "properties": { - "end_date": { - "type": "date" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "recipient": { - "properties": { - "ip": { - "type": "ip" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "ip": { - "type": "ip" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start_date": { - "type": "date" - } - } - }, - "quarantine_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email_dump": { - "properties": { - "include_deleted": { - "type": "boolean" - }, - "package_content": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email_monitor": { - "properties": { - "dest_email": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "properties": { - "chat": { - "ignore_above": 1024, - "type": "keyword" - }, - "draft": { - "ignore_above": 1024, - "type": "keyword" - }, - "incoming": { - "ignore_above": 1024, - "type": "keyword" - }, - "outgoing": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "gateway": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group": { - "properties": { - "allowed_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "priorities": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "info_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "managed_configuration": { - "ignore_above": 1024, - "type": "keyword" - }, - "mdm": { - "properties": { - "token": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mobile": { - "properties": { - "action": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "certificate": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "company_owned_devices": { - "type": "long" - } - } - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "non_featured_services_selection": { - "ignore_above": 1024, - "type": "keyword" - }, - "oauth2": { - "properties": { - "application": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "org_unit": { - "properties": { - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "print_server": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "printer": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "privilege": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sku": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "role": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "setting": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "birthdate": { - "type": "date" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "nickname": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_defined_setting": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "verification_method": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "drive": { - "properties": { - "added_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "billable": { - "type": "boolean" - }, - "destination_folder_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_folder_title": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_shared_drive": { - "type": "boolean" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "membership_change_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_visibility": { - "ignore_above": 1024, - "type": "keyword" - }, - "originating_app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "primary_event": { - "type": "boolean" - }, - "removed_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "shared_drive_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "shared_drive_settings_change_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sheets_import_range_recipient_doc": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_folder_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_folder_title": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "visibility": { - "ignore_above": 1024, - "type": "keyword" - }, - "visibility_change": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "groups": { - "properties": { - "acl_permission": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "member": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "moderation_action": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "setting": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "login": { - "properties": { - "affected_email_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "challenge_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_second_factor": { - "type": "boolean" - }, - "is_suspicious": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saml": { - "properties": { - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiated_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "orgunit_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "second_level_status_code": { - "type": "long" - }, - "status_code": { - "type": "long" - } - } - } - } - }, - "haproxy": { - "properties": { - "backend_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_queue": { - "type": "long" - }, - "bind_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes_read": { - "type": "long" - }, - "connection_wait_time_ms": { - "type": "long" - }, - "connections": { - "properties": { - "active": { - "type": "long" - }, - "backend": { - "type": "long" - }, - "frontend": { - "type": "long" - }, - "retries": { - "type": "long" - }, - "server": { - "type": "long" - } - } - }, - "error_message": { - "norms": false, - "type": "text" - }, - "frontend_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "request": { - "properties": { - "captured_cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "captured_headers": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_request_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_wait_ms": { - "type": "long" - }, - "time_wait_without_data_ms": { - "type": "long" - } - } - }, - "response": { - "properties": { - "captured_cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "captured_headers": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_queue": { - "type": "long" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp": { - "properties": { - "connection_waiting_time_ms": { - "type": "long" - } - } - }, - "termination_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_backend_connect": { - "type": "long" - }, - "time_queue": { - "type": "long" - }, - "total_waiting_time_ms": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "containerized": { - "type": "boolean" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ibmmq": { - "properties": { - "errorlog": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "arithinsert": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "commentinsert": { - "ignore_above": 1024, - "type": "keyword" - }, - "errordescription": { - "norms": false, - "type": "text" - }, - "explanation": { - "ignore_above": 1024, - "type": "keyword" - }, - "installation": { - "ignore_above": 1024, - "type": "keyword" - }, - "qmgr": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "icinga": { - "properties": { - "debug": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "main": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "startup": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "icmp": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "igmp": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "iis": { - "properties": { - "access": { - "properties": { - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "site_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_status": { - "type": "long" - }, - "win32_status": { - "type": "long" - } - } - }, - "error": { - "properties": { - "queue_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason_phrase": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "iptables": { - "properties": { - "ether_type": { - "type": "long" - }, - "flow_label": { - "type": "long" - }, - "fragment_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment_offset": { - "type": "long" - }, - "icmp": { - "properties": { - "code": { - "type": "long" - }, - "id": { - "type": "long" - }, - "parameter": { - "type": "long" - }, - "redirect": { - "type": "ip" - }, - "seq": { - "type": "long" - }, - "type": { - "type": "long" - } - } - }, - "id": { - "type": "long" - }, - "incomplete_bytes": { - "type": "long" - }, - "input_device": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "output_device": { - "ignore_above": 1024, - "type": "keyword" - }, - "precedence_bits": { - "type": "short" - }, - "tcp": { - "properties": { - "ack": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "reserved_bits": { - "type": "short" - }, - "seq": { - "type": "long" - }, - "window": { - "type": "long" - } - } - }, - "tos": { - "type": "long" - }, - "ttl": { - "type": "long" - }, - "ubiquiti": { - "properties": { - "input_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "output_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_set": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "udp": { - "properties": { - "length": { - "type": "long" - } - } - } - } - }, - "jolokia": { - "properties": { - "agent": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "secured": { - "type": "boolean" - }, - "server": { - "properties": { - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "juniper": { - "properties": { - "srx": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "action_detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "apbr_rule_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_characteristics": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_sub_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_ip": { - "type": "ip" - }, - "connection_hit_rate": { - "type": "long" - }, - "connection_tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_hit_rate": { - "type": "long" - }, - "context_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_value_hit_rate": { - "type": "long" - }, - "ddos_application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dscp_value": { - "type": "long" - }, - "dst_nat_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_nat_rule_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_vrf_grp": { - "ignore_above": 1024, - "type": "keyword" - }, - "elapsed_time": { - "type": "date" - }, - "encrypted": { - "ignore_above": 1024, - "type": "keyword" - }, - "epoch_time": { - "type": "date" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "export_id": { - "type": "long" - }, - "feed_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_hash_lookup": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_type": { - "type": "long" - }, - "inbound_bytes": { - "type": "long" - }, - "inbound_packets": { - "type": "long" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "logical_system_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_connection_tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "nested_application": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj": { - "ignore_above": 1024, - "type": "keyword" - }, - "occur_count": { - "type": "long" - }, - "outbound_bytes": { - "type": "long" - }, - "outbound_packets": { - "type": "long" - }, - "packet_log_id": { - "type": "long" - }, - "peer_destination_address": { - "type": "ip" - }, - "peer_destination_port": { - "type": "long" - }, - "peer_session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_source_address": { - "type": "ip" - }, - "peer_source_port": { - "type": "long" - }, - "policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "repeat_count": { - "type": "long" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "routing_instance": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleebase_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sample_sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "secure_web_proxy_session_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id_32": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_nat_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_nat_rule_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_vrf_grp": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "temporary_filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "th": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_count": { - "type": "long" - }, - "time_period": { - "type": "long" - }, - "time_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uplink_rx_bytes": { - "type": "long" - }, - "uplink_tx_bytes": { - "type": "long" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - }, - "verdict_number": { - "type": "long" - }, - "verdict_source": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "kafka": { - "properties": { - "block_timestamp": { - "type": "date" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "ignore_above": 1024, - "type": "keyword" - }, - "trace": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "norms": false, - "type": "text" - } - } - } - } - }, - "offset": { - "type": "long" - }, - "partition": { - "type": "long" - }, - "topic": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kibana": { - "properties": { - "add_to_spaces": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delete_from_spaces": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "properties": { - "meta": { - "type": "object" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lookup_realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "saved_object": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "space_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kubernetes": { - "properties": { - "annotations": { - "properties": { - "*": { - "type": "object" - } - } - }, - "container": { - "properties": { - "image": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "deployment": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "properties": { - "*": { - "type": "object" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pod": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "replicaset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service": { - "properties": { - "selectors": { - "properties": { - "*": { - "type": "object" - } - } - } - } - }, - "statefulset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "labels": { - "type": "object" - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "offset": { - "type": "long" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "original": { - "ignore_above": 1024, - "index": false, - "type": "keyword" - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "priority": { - "type": "long" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "logstash": { - "properties": { - "log": { - "properties": { - "log_event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "pipeline_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "event": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "plugin_params_object": { - "type": "object" - }, - "plugin_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "took_in_millis": { - "type": "long" - } - } - } - } - }, - "message": { - "norms": false, - "type": "text" - }, - "microsoft": { - "properties": { - "defender_atp": { - "properties": { - "assignedTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "determination": { - "ignore_above": 1024, - "type": "keyword" - }, - "evidence": { - "properties": { - "aadUserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "accountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "entityType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipAddress": { - "type": "ip" - }, - "userPrincipalName": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "incidentId": { - "ignore_above": 1024, - "type": "keyword" - }, - "investigationId": { - "ignore_above": 1024, - "type": "keyword" - }, - "investigationState": { - "ignore_above": 1024, - "type": "keyword" - }, - "lastUpdateTime": { - "type": "date" - }, - "rbacGroupName": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolvedTime": { - "type": "date" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "threatFamilyName": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "m365_defender": { - "properties": { - "alerts": { - "properties": { - "actorName": { - "ignore_above": 1024, - "type": "keyword" - }, - "assignedTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "creationTime": { - "type": "date" - }, - "detectionSource": { - "ignore_above": 1024, - "type": "keyword" - }, - "determination": { - "ignore_above": 1024, - "type": "keyword" - }, - "devices": { - "type": "flattened" - }, - "entities": { - "properties": { - "accountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "clusterBy": { - "ignore_above": 1024, - "type": "keyword" - }, - "deliveryAction": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceId": { - "ignore_above": 1024, - "type": "keyword" - }, - "entityType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "mailboxAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "mailboxDisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "recipient": { - "ignore_above": 1024, - "type": "keyword" - }, - "registryHive": { - "ignore_above": 1024, - "type": "keyword" - }, - "registryKey": { - "ignore_above": 1024, - "type": "keyword" - }, - "registryValueType": { - "ignore_above": 1024, - "type": "keyword" - }, - "securityGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "securityGroupName": { - "ignore_above": 1024, - "type": "keyword" - }, - "sender": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "incidentId": { - "ignore_above": 1024, - "type": "keyword" - }, - "investigationId": { - "ignore_above": 1024, - "type": "keyword" - }, - "investigationState": { - "ignore_above": 1024, - "type": "keyword" - }, - "lastUpdatedTime": { - "type": "date" - }, - "mitreTechniques": { - "ignore_above": 1024, - "type": "keyword" - }, - "resolvedTime": { - "type": "date" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "threatFamilyName": { - "ignore_above": 1024, - "type": "keyword" - }, - "userSid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "assignedTo": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "determination": { - "ignore_above": 1024, - "type": "keyword" - }, - "incidentId": { - "ignore_above": 1024, - "type": "keyword" - }, - "incidentName": { - "ignore_above": 1024, - "type": "keyword" - }, - "investigationState": { - "ignore_above": 1024, - "type": "keyword" - }, - "redirectIncidentId": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "misp": { - "properties": { - "attack_pattern": { - "properties": { - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "kill_chain_phases": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "campaign": { - "properties": { - "aliases": { - "norms": false, - "type": "text" - }, - "description": { - "norms": false, - "type": "text" - }, - "first_seen": { - "type": "date" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "objective": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "course_of_action": { - "properties": { - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "identity": { - "properties": { - "contact_information": { - "norms": false, - "type": "text" - }, - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_class": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sectors": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "intrusion_set": { - "properties": { - "aliases": { - "norms": false, - "type": "text" - }, - "description": { - "norms": false, - "type": "text" - }, - "first_seen": { - "type": "date" - }, - "goals": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "primary_motivation": { - "norms": false, - "type": "text" - }, - "resource_level": { - "norms": false, - "type": "text" - }, - "secondary_motivations": { - "norms": false, - "type": "text" - } - } - }, - "malware": { - "properties": { - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "kill_chain_phases": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "note": { - "properties": { - "authors": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_refs": { - "ignore_above": 1024, - "type": "keyword" - }, - "summary": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "observed_data": { - "properties": { - "first_observed": { - "type": "date" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_observed": { - "type": "date" - }, - "number_observed": { - "type": "long" - }, - "objects": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "report": { - "properties": { - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_refs": { - "norms": false, - "type": "text" - }, - "published": { - "type": "date" - } - } - }, - "threat_actor": { - "properties": { - "aliases": { - "norms": false, - "type": "text" - }, - "description": { - "norms": false, - "type": "text" - }, - "goals": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "personal_motivations": { - "norms": false, - "type": "text" - }, - "primary_motivation": { - "norms": false, - "type": "text" - }, - "resource_level": { - "norms": false, - "type": "text" - }, - "roles": { - "norms": false, - "type": "text" - }, - "secondary_motivations": { - "norms": false, - "type": "text" - }, - "sophistication": { - "norms": false, - "type": "text" - } - } - }, - "threat_indicator": { - "properties": { - "attack_pattern": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack_pattern_kql": { - "ignore_above": 1024, - "type": "keyword" - }, - "campaign": { - "ignore_above": 1024, - "type": "keyword" - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "norms": false, - "type": "text" - }, - "feed": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "intrusion_set": { - "ignore_above": 1024, - "type": "keyword" - }, - "kill_chain_phases": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_tactic": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitre_technique": { - "ignore_above": 1024, - "type": "keyword" - }, - "negate": { - "type": "boolean" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_actor": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "valid_from": { - "type": "date" - }, - "valid_until": { - "type": "date" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "kill_chain_phases": { - "norms": false, - "type": "text" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tool_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "description": { - "norms": false, - "type": "text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "mongodb": { - "properties": { - "log": { - "properties": { - "component": { - "ignore_above": 1024, - "type": "keyword" - }, - "context": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "mssql": { - "properties": { - "log": { - "properties": { - "origin": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "mysql": { - "properties": { - "slowlog": { - "properties": { - "bytes_received": { - "type": "long" - }, - "bytes_sent": { - "type": "long" - }, - "current_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "filesort": { - "type": "boolean" - }, - "filesort_on_disk": { - "type": "boolean" - }, - "full_join": { - "type": "boolean" - }, - "full_scan": { - "type": "boolean" - }, - "innodb": { - "properties": { - "io_r_bytes": { - "type": "long" - }, - "io_r_ops": { - "type": "long" - }, - "io_r_wait": { - "properties": { - "sec": { - "type": "long" - } - } - }, - "pages_distinct": { - "type": "long" - }, - "queue_wait": { - "properties": { - "sec": { - "type": "long" - } - } - }, - "rec_lock_wait": { - "properties": { - "sec": { - "type": "long" - } - } - }, - "trx_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "killed": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_errno": { - "ignore_above": 1024, - "type": "keyword" - }, - "lock_time": { - "properties": { - "sec": { - "type": "float" - } - } - }, - "log_slow_rate_limit": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_slow_rate_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "merge_passes": { - "type": "long" - }, - "priority_queue": { - "type": "boolean" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "query_cache_hit": { - "type": "boolean" - }, - "read_first": { - "type": "long" - }, - "read_key": { - "type": "long" - }, - "read_last": { - "type": "long" - }, - "read_next": { - "type": "long" - }, - "read_prev": { - "type": "long" - }, - "read_rnd": { - "type": "long" - }, - "read_rnd_next": { - "type": "long" - }, - "rows_affected": { - "type": "long" - }, - "rows_examined": { - "type": "long" - }, - "rows_sent": { - "type": "long" - }, - "schema": { - "ignore_above": 1024, - "type": "keyword" - }, - "sort_merge_passes": { - "type": "long" - }, - "sort_range_count": { - "type": "long" - }, - "sort_rows": { - "type": "long" - }, - "sort_scan_count": { - "type": "long" - }, - "tmp_disk_tables": { - "type": "long" - }, - "tmp_table": { - "type": "boolean" - }, - "tmp_table_on_disk": { - "type": "boolean" - }, - "tmp_table_sizes": { - "type": "long" - }, - "tmp_tables": { - "type": "long" - } - } - }, - "thread_id": { - "type": "long" - } - } - }, - "mysqlenterprise": { - "properties": { - "audit": { - "properties": { - "account": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_data": { - "properties": { - "connection_attributes": { - "type": "flattened" - }, - "connection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "db": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "type": "long" - } - } - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "general_data": { - "properties": { - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "sql_command": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "login": { - "properties": { - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "shutdown_data": { - "properties": { - "server_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "startup_data": { - "properties": { - "mysql_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "table_access_data": { - "properties": { - "db": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "sql_command": { - "ignore_above": 1024, - "type": "keyword" - }, - "table": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "nats": { - "properties": { - "log": { - "properties": { - "client": { - "properties": { - "id": { - "type": "long" - } - } - }, - "msg": { - "properties": { - "bytes": { - "type": "long" - }, - "error": { - "properties": { - "message": { - "norms": false, - "type": "text" - } - } - }, - "max_messages": { - "type": "long" - }, - "queue_group": { - "norms": false, - "type": "text" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "sid": { - "type": "long" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "netflow": { - "properties": { - "absolute_error": { - "type": "double" - }, - "address_pool_high_threshold": { - "type": "long" - }, - "address_pool_low_threshold": { - "type": "long" - }, - "address_port_mapping_high_threshold": { - "type": "long" - }, - "address_port_mapping_low_threshold": { - "type": "long" - }, - "address_port_mapping_per_user_high_threshold": { - "type": "long" - }, - "anonymization_flags": { - "type": "long" - }, - "anonymization_technique": { - "type": "long" - }, - "application_category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_group_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_id": { - "type": "short" - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_sub_category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "bgp_destination_as_number": { - "type": "long" - }, - "bgp_next_adjacent_as_number": { - "type": "long" - }, - "bgp_next_hop_ipv4_address": { - "type": "ip" - }, - "bgp_next_hop_ipv6_address": { - "type": "ip" - }, - "bgp_prev_adjacent_as_number": { - "type": "long" - }, - "bgp_source_as_number": { - "type": "long" - }, - "bgp_validity_state": { - "type": "short" - }, - "biflow_direction": { - "type": "short" - }, - "class_id": { - "type": "long" - }, - "class_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification_engine_id": { - "type": "short" - }, - "collection_time_milliseconds": { - "type": "date" - }, - "collector_certificate": { - "type": "short" - }, - "collector_ipv4_address": { - "type": "ip" - }, - "collector_ipv6_address": { - "type": "ip" - }, - "collector_transport_port": { - "type": "long" - }, - "common_properties_id": { - "type": "long" - }, - "confidence_level": { - "type": "double" - }, - "connection_sum_duration_seconds": { - "type": "long" - }, - "connection_transaction_id": { - "type": "long" - }, - "data_link_frame_section": { - "type": "short" - }, - "data_link_frame_size": { - "type": "long" - }, - "data_link_frame_type": { - "type": "long" - }, - "data_records_reliability": { - "type": "boolean" - }, - "delta_flow_count": { - "type": "long" - }, - "destination_ipv4_address": { - "type": "ip" - }, - "destination_ipv4_prefix": { - "type": "ip" - }, - "destination_ipv4_prefix_length": { - "type": "short" - }, - "destination_ipv6_address": { - "type": "ip" - }, - "destination_ipv6_prefix": { - "type": "ip" - }, - "destination_ipv6_prefix_length": { - "type": "short" - }, - "destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_transport_port": { - "type": "long" - }, - "digest_hash_value": { - "type": "long" - }, - "distinct_count_of_destination_ip_address": { - "type": "long" - }, - "distinct_count_of_destination_ipv4_address": { - "type": "long" - }, - "distinct_count_of_destination_ipv6_address": { - "type": "long" - }, - "distinct_count_of_source_ip_address": { - "type": "long" - }, - "distinct_count_of_source_ipv4_address": { - "type": "long" - }, - "distinct_count_of_source_ipv6_address": { - "type": "long" - }, - "dot1q_customer_dei": { - "type": "boolean" - }, - "dot1q_customer_destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "dot1q_customer_priority": { - "type": "short" - }, - "dot1q_customer_source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "dot1q_customer_vlan_id": { - "type": "long" - }, - "dot1q_dei": { - "type": "boolean" - }, - "dot1q_priority": { - "type": "short" - }, - "dot1q_service_instance_id": { - "type": "long" - }, - "dot1q_service_instance_priority": { - "type": "short" - }, - "dot1q_service_instance_tag": { - "type": "short" - }, - "dot1q_vlan_id": { - "type": "long" - }, - "dropped_layer2_octet_delta_count": { - "type": "long" - }, - "dropped_layer2_octet_total_count": { - "type": "long" - }, - "dropped_octet_delta_count": { - "type": "long" - }, - "dropped_octet_total_count": { - "type": "long" - }, - "dropped_packet_delta_count": { - "type": "long" - }, - "dropped_packet_total_count": { - "type": "long" - }, - "dst_traffic_index": { - "type": "long" - }, - "egress_broadcast_packet_total_count": { - "type": "long" - }, - "egress_interface": { - "type": "long" - }, - "egress_interface_type": { - "type": "long" - }, - "egress_physical_interface": { - "type": "long" - }, - "egress_unicast_packet_total_count": { - "type": "long" - }, - "egress_vrfid": { - "type": "long" - }, - "encrypted_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "engine_id": { - "type": "short" - }, - "engine_type": { - "type": "short" - }, - "ethernet_header_length": { - "type": "short" - }, - "ethernet_payload_length": { - "type": "long" - }, - "ethernet_total_length": { - "type": "long" - }, - "ethernet_type": { - "type": "long" - }, - "export_interface": { - "type": "long" - }, - "export_protocol_version": { - "type": "short" - }, - "export_sctp_stream_id": { - "type": "long" - }, - "export_transport_protocol": { - "type": "short" - }, - "exported_flow_record_total_count": { - "type": "long" - }, - "exported_message_total_count": { - "type": "long" - }, - "exported_octet_total_count": { - "type": "long" - }, - "exporter": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_id": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "uptime_millis": { - "type": "long" - }, - "version": { - "type": "long" - } - } - }, - "exporter_certificate": { - "type": "short" - }, - "exporter_ipv4_address": { - "type": "ip" - }, - "exporter_ipv6_address": { - "type": "ip" - }, - "exporter_transport_port": { - "type": "long" - }, - "exporting_process_id": { - "type": "long" - }, - "external_address_realm": { - "type": "short" - }, - "firewall_event": { - "type": "short" - }, - "flags_and_sampler_id": { - "type": "long" - }, - "flow_active_timeout": { - "type": "long" - }, - "flow_direction": { - "type": "short" - }, - "flow_duration_microseconds": { - "type": "long" - }, - "flow_duration_milliseconds": { - "type": "long" - }, - "flow_end_delta_microseconds": { - "type": "long" - }, - "flow_end_microseconds": { - "type": "date" - }, - "flow_end_milliseconds": { - "type": "date" - }, - "flow_end_nanoseconds": { - "type": "date" - }, - "flow_end_reason": { - "type": "short" - }, - "flow_end_seconds": { - "type": "date" - }, - "flow_end_sys_up_time": { - "type": "long" - }, - "flow_id": { - "type": "long" - }, - "flow_idle_timeout": { - "type": "long" - }, - "flow_key_indicator": { - "type": "long" - }, - "flow_label_ipv6": { - "type": "long" - }, - "flow_sampling_time_interval": { - "type": "long" - }, - "flow_sampling_time_spacing": { - "type": "long" - }, - "flow_selected_flow_delta_count": { - "type": "long" - }, - "flow_selected_octet_delta_count": { - "type": "long" - }, - "flow_selected_packet_delta_count": { - "type": "long" - }, - "flow_selector_algorithm": { - "type": "long" - }, - "flow_start_delta_microseconds": { - "type": "long" - }, - "flow_start_microseconds": { - "type": "date" - }, - "flow_start_milliseconds": { - "type": "date" - }, - "flow_start_nanoseconds": { - "type": "date" - }, - "flow_start_seconds": { - "type": "date" - }, - "flow_start_sys_up_time": { - "type": "long" - }, - "forwarding_status": { - "type": "short" - }, - "fragment_flags": { - "type": "short" - }, - "fragment_identification": { - "type": "long" - }, - "fragment_offset": { - "type": "long" - }, - "global_address_mapping_high_threshold": { - "type": "long" - }, - "gre_key": { - "type": "long" - }, - "hash_digest_output": { - "type": "boolean" - }, - "hash_flow_domain": { - "type": "long" - }, - "hash_initialiser_value": { - "type": "long" - }, - "hash_ip_payload_offset": { - "type": "long" - }, - "hash_ip_payload_size": { - "type": "long" - }, - "hash_output_range_max": { - "type": "long" - }, - "hash_output_range_min": { - "type": "long" - }, - "hash_selected_range_max": { - "type": "long" - }, - "hash_selected_range_min": { - "type": "long" - }, - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_message_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_reason_phrase": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_request_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_status_code": { - "type": "long" - }, - "http_user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code_ipv4": { - "type": "short" - }, - "icmp_code_ipv6": { - "type": "short" - }, - "icmp_type_code_ipv4": { - "type": "long" - }, - "icmp_type_code_ipv6": { - "type": "long" - }, - "icmp_type_ipv4": { - "type": "short" - }, - "icmp_type_ipv6": { - "type": "short" - }, - "igmp_type": { - "type": "short" - }, - "ignored_data_record_total_count": { - "type": "long" - }, - "ignored_layer2_frame_total_count": { - "type": "long" - }, - "ignored_layer2_octet_total_count": { - "type": "long" - }, - "ignored_octet_total_count": { - "type": "long" - }, - "ignored_packet_total_count": { - "type": "long" - }, - "information_element_data_type": { - "type": "short" - }, - "information_element_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "information_element_id": { - "type": "long" - }, - "information_element_index": { - "type": "long" - }, - "information_element_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "information_element_range_begin": { - "type": "long" - }, - "information_element_range_end": { - "type": "long" - }, - "information_element_semantics": { - "type": "short" - }, - "information_element_units": { - "type": "long" - }, - "ingress_broadcast_packet_total_count": { - "type": "long" - }, - "ingress_interface": { - "type": "long" - }, - "ingress_interface_type": { - "type": "long" - }, - "ingress_multicast_packet_total_count": { - "type": "long" - }, - "ingress_physical_interface": { - "type": "long" - }, - "ingress_unicast_packet_total_count": { - "type": "long" - }, - "ingress_vrfid": { - "type": "long" - }, - "initiator_octets": { - "type": "long" - }, - "initiator_packets": { - "type": "long" - }, - "interface_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "intermediate_process_id": { - "type": "long" - }, - "internal_address_realm": { - "type": "short" - }, - "ip_class_of_service": { - "type": "short" - }, - "ip_diff_serv_code_point": { - "type": "short" - }, - "ip_header_length": { - "type": "short" - }, - "ip_header_packet_section": { - "type": "short" - }, - "ip_next_hop_ipv4_address": { - "type": "ip" - }, - "ip_next_hop_ipv6_address": { - "type": "ip" - }, - "ip_payload_length": { - "type": "long" - }, - "ip_payload_packet_section": { - "type": "short" - }, - "ip_precedence": { - "type": "short" - }, - "ip_sec_spi": { - "type": "long" - }, - "ip_total_length": { - "type": "long" - }, - "ip_ttl": { - "type": "short" - }, - "ip_version": { - "type": "short" - }, - "ipv4_ihl": { - "type": "short" - }, - "ipv4_options": { - "type": "long" - }, - "ipv4_router_sc": { - "type": "ip" - }, - "ipv6_extension_headers": { - "type": "long" - }, - "is_multicast": { - "type": "short" - }, - "layer2_frame_delta_count": { - "type": "long" - }, - "layer2_frame_total_count": { - "type": "long" - }, - "layer2_octet_delta_count": { - "type": "long" - }, - "layer2_octet_delta_sum_of_squares": { - "type": "long" - }, - "layer2_octet_total_count": { - "type": "long" - }, - "layer2_octet_total_sum_of_squares": { - "type": "long" - }, - "layer2_segment_id": { - "type": "long" - }, - "layer2packet_section_data": { - "type": "short" - }, - "layer2packet_section_offset": { - "type": "long" - }, - "layer2packet_section_size": { - "type": "long" - }, - "line_card_id": { - "type": "long" - }, - "lower_ci_limit": { - "type": "double" - }, - "max_bib_entries": { - "type": "long" - }, - "max_entries_per_user": { - "type": "long" - }, - "max_export_seconds": { - "type": "date" - }, - "max_flow_end_microseconds": { - "type": "date" - }, - "max_flow_end_milliseconds": { - "type": "date" - }, - "max_flow_end_nanoseconds": { - "type": "date" - }, - "max_flow_end_seconds": { - "type": "date" - }, - "max_fragments_pending_reassembly": { - "type": "long" - }, - "max_session_entries": { - "type": "long" - }, - "max_subscribers": { - "type": "long" - }, - "maximum_ip_total_length": { - "type": "long" - }, - "maximum_layer2_total_length": { - "type": "long" - }, - "maximum_ttl": { - "type": "short" - }, - "message_md5_checksum": { - "type": "short" - }, - "message_scope": { - "type": "short" - }, - "metering_process_id": { - "type": "long" - }, - "metro_evc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "metro_evc_type": { - "type": "short" - }, - "mib_capture_time_semantics": { - "type": "short" - }, - "mib_context_engine_id": { - "type": "short" - }, - "mib_context_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_index_indicator": { - "type": "long" - }, - "mib_module_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_identifier": { - "type": "short" - }, - "mib_object_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_syntax": { - "ignore_above": 1024, - "type": "keyword" - }, - "mib_object_value_bits": { - "type": "short" - }, - "mib_object_value_counter": { - "type": "long" - }, - "mib_object_value_gauge": { - "type": "long" - }, - "mib_object_value_integer": { - "type": "long" - }, - "mib_object_value_ip_address": { - "type": "ip" - }, - "mib_object_value_octet_string": { - "type": "short" - }, - "mib_object_value_oid": { - "type": "short" - }, - "mib_object_value_time_ticks": { - "type": "long" - }, - "mib_object_value_unsigned": { - "type": "long" - }, - "mib_sub_identifier": { - "type": "long" - }, - "min_export_seconds": { - "type": "date" - }, - "min_flow_start_microseconds": { - "type": "date" - }, - "min_flow_start_milliseconds": { - "type": "date" - }, - "min_flow_start_nanoseconds": { - "type": "date" - }, - "min_flow_start_seconds": { - "type": "date" - }, - "minimum_ip_total_length": { - "type": "long" - }, - "minimum_layer2_total_length": { - "type": "long" - }, - "minimum_ttl": { - "type": "short" - }, - "mobile_imsi": { - "ignore_above": 1024, - "type": "keyword" - }, - "mobile_msisdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "monitoring_interval_end_milli_seconds": { - "type": "date" - }, - "monitoring_interval_start_milli_seconds": { - "type": "date" - }, - "mpls_label_stack_depth": { - "type": "long" - }, - "mpls_label_stack_length": { - "type": "long" - }, - "mpls_label_stack_section": { - "type": "short" - }, - "mpls_label_stack_section10": { - "type": "short" - }, - "mpls_label_stack_section2": { - "type": "short" - }, - "mpls_label_stack_section3": { - "type": "short" - }, - "mpls_label_stack_section4": { - "type": "short" - }, - "mpls_label_stack_section5": { - "type": "short" - }, - "mpls_label_stack_section6": { - "type": "short" - }, - "mpls_label_stack_section7": { - "type": "short" - }, - "mpls_label_stack_section8": { - "type": "short" - }, - "mpls_label_stack_section9": { - "type": "short" - }, - "mpls_payload_length": { - "type": "long" - }, - "mpls_payload_packet_section": { - "type": "short" - }, - "mpls_top_label_exp": { - "type": "short" - }, - "mpls_top_label_ipv4_address": { - "type": "ip" - }, - "mpls_top_label_ipv6_address": { - "type": "ip" - }, - "mpls_top_label_prefix_length": { - "type": "short" - }, - "mpls_top_label_stack_section": { - "type": "short" - }, - "mpls_top_label_ttl": { - "type": "short" - }, - "mpls_top_label_type": { - "type": "short" - }, - "mpls_vpn_route_distinguisher": { - "type": "short" - }, - "multicast_replication_factor": { - "type": "long" - }, - "nat_event": { - "type": "short" - }, - "nat_instance_id": { - "type": "long" - }, - "nat_originating_address_realm": { - "type": "short" - }, - "nat_pool_id": { - "type": "long" - }, - "nat_pool_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_quota_exceeded_event": { - "type": "long" - }, - "nat_threshold_event": { - "type": "long" - }, - "nat_type": { - "type": "short" - }, - "new_connection_delta_count": { - "type": "long" - }, - "next_header_ipv6": { - "type": "short" - }, - "not_sent_flow_total_count": { - "type": "long" - }, - "not_sent_layer2_octet_total_count": { - "type": "long" - }, - "not_sent_octet_total_count": { - "type": "long" - }, - "not_sent_packet_total_count": { - "type": "long" - }, - "observation_domain_id": { - "type": "long" - }, - "observation_domain_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observation_point_id": { - "type": "long" - }, - "observation_point_type": { - "type": "short" - }, - "observation_time_microseconds": { - "type": "date" - }, - "observation_time_milliseconds": { - "type": "date" - }, - "observation_time_nanoseconds": { - "type": "date" - }, - "observation_time_seconds": { - "type": "date" - }, - "observed_flow_total_count": { - "type": "long" - }, - "octet_delta_count": { - "type": "long" - }, - "octet_delta_sum_of_squares": { - "type": "long" - }, - "octet_total_count": { - "type": "long" - }, - "octet_total_sum_of_squares": { - "type": "long" - }, - "opaque_octets": { - "type": "short" - }, - "original_exporter_ipv4_address": { - "type": "ip" - }, - "original_exporter_ipv6_address": { - "type": "ip" - }, - "original_flows_completed": { - "type": "long" - }, - "original_flows_initiated": { - "type": "long" - }, - "original_flows_present": { - "type": "long" - }, - "original_observation_domain_id": { - "type": "long" - }, - "p2p_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_delta_count": { - "type": "long" - }, - "packet_total_count": { - "type": "long" - }, - "padding_octets": { - "type": "short" - }, - "payload_length_ipv6": { - "type": "long" - }, - "port_id": { - "type": "long" - }, - "port_range_end": { - "type": "long" - }, - "port_range_num_ports": { - "type": "long" - }, - "port_range_start": { - "type": "long" - }, - "port_range_step_size": { - "type": "long" - }, - "post_destination_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "post_dot1q_customer_vlan_id": { - "type": "long" - }, - "post_dot1q_vlan_id": { - "type": "long" - }, - "post_ip_class_of_service": { - "type": "short" - }, - "post_ip_diff_serv_code_point": { - "type": "short" - }, - "post_ip_precedence": { - "type": "short" - }, - "post_layer2_octet_delta_count": { - "type": "long" - }, - "post_layer2_octet_total_count": { - "type": "long" - }, - "post_mcast_layer2_octet_delta_count": { - "type": "long" - }, - "post_mcast_layer2_octet_total_count": { - "type": "long" - }, - "post_mcast_octet_delta_count": { - "type": "long" - }, - "post_mcast_octet_total_count": { - "type": "long" - }, - "post_mcast_packet_delta_count": { - "type": "long" - }, - "post_mcast_packet_total_count": { - "type": "long" - }, - "post_mpls_top_label_exp": { - "type": "short" - }, - "post_napt_destination_transport_port": { - "type": "long" - }, - "post_napt_source_transport_port": { - "type": "long" - }, - "post_nat_destination_ipv4_address": { - "type": "ip" - }, - "post_nat_destination_ipv6_address": { - "type": "ip" - }, - "post_nat_source_ipv4_address": { - "type": "ip" - }, - "post_nat_source_ipv6_address": { - "type": "ip" - }, - "post_octet_delta_count": { - "type": "long" - }, - "post_octet_total_count": { - "type": "long" - }, - "post_packet_delta_count": { - "type": "long" - }, - "post_packet_total_count": { - "type": "long" - }, - "post_source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "post_vlan_id": { - "type": "long" - }, - "private_enterprise_number": { - "type": "long" - }, - "protocol_identifier": { - "type": "short" - }, - "pseudo_wire_control_word": { - "type": "long" - }, - "pseudo_wire_destination_ipv4_address": { - "type": "ip" - }, - "pseudo_wire_id": { - "type": "long" - }, - "pseudo_wire_type": { - "type": "long" - }, - "relative_error": { - "type": "double" - }, - "responder_octets": { - "type": "long" - }, - "responder_packets": { - "type": "long" - }, - "rfc3550_jitter_microseconds": { - "type": "long" - }, - "rfc3550_jitter_milliseconds": { - "type": "long" - }, - "rfc3550_jitter_nanoseconds": { - "type": "long" - }, - "rtp_sequence_number": { - "type": "long" - }, - "sampler_id": { - "type": "short" - }, - "sampler_mode": { - "type": "short" - }, - "sampler_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sampler_random_interval": { - "type": "long" - }, - "sampling_algorithm": { - "type": "short" - }, - "sampling_flow_interval": { - "type": "long" - }, - "sampling_flow_spacing": { - "type": "long" - }, - "sampling_interval": { - "type": "long" - }, - "sampling_packet_interval": { - "type": "long" - }, - "sampling_packet_space": { - "type": "long" - }, - "sampling_population": { - "type": "long" - }, - "sampling_probability": { - "type": "double" - }, - "sampling_size": { - "type": "long" - }, - "sampling_time_interval": { - "type": "long" - }, - "sampling_time_space": { - "type": "long" - }, - "section_exported_octets": { - "type": "long" - }, - "section_offset": { - "type": "long" - }, - "selection_sequence_id": { - "type": "long" - }, - "selector_algorithm": { - "type": "long" - }, - "selector_id": { - "type": "long" - }, - "selector_id_total_flows_observed": { - "type": "long" - }, - "selector_id_total_flows_selected": { - "type": "long" - }, - "selector_id_total_pkts_observed": { - "type": "long" - }, - "selector_id_total_pkts_selected": { - "type": "long" - }, - "selector_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_scope": { - "type": "short" - }, - "source_ipv4_address": { - "type": "ip" - }, - "source_ipv4_prefix": { - "type": "ip" - }, - "source_ipv4_prefix_length": { - "type": "short" - }, - "source_ipv6_address": { - "type": "ip" - }, - "source_ipv6_prefix": { - "type": "ip" - }, - "source_ipv6_prefix_length": { - "type": "short" - }, - "source_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_transport_port": { - "type": "long" - }, - "source_transport_ports_limit": { - "type": "long" - }, - "src_traffic_index": { - "type": "long" - }, - "sta_ipv4_address": { - "type": "ip" - }, - "sta_mac_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "system_init_time_milliseconds": { - "type": "date" - }, - "tcp_ack_total_count": { - "type": "long" - }, - "tcp_acknowledgement_number": { - "type": "long" - }, - "tcp_control_bits": { - "type": "long" - }, - "tcp_destination_port": { - "type": "long" - }, - "tcp_fin_total_count": { - "type": "long" - }, - "tcp_header_length": { - "type": "short" - }, - "tcp_options": { - "type": "long" - }, - "tcp_psh_total_count": { - "type": "long" - }, - "tcp_rst_total_count": { - "type": "long" - }, - "tcp_sequence_number": { - "type": "long" - }, - "tcp_source_port": { - "type": "long" - }, - "tcp_syn_total_count": { - "type": "long" - }, - "tcp_urg_total_count": { - "type": "long" - }, - "tcp_urgent_pointer": { - "type": "long" - }, - "tcp_window_scale": { - "type": "long" - }, - "tcp_window_size": { - "type": "long" - }, - "template_id": { - "type": "long" - }, - "total_length_ipv4": { - "type": "long" - }, - "transport_octet_delta_count": { - "type": "long" - }, - "transport_packet_delta_count": { - "type": "long" - }, - "tunnel_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "udp_destination_port": { - "type": "long" - }, - "udp_message_length": { - "type": "long" - }, - "udp_source_port": { - "type": "long" - }, - "upper_ci_limit": { - "type": "double" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "value_distribution_method": { - "type": "short" - }, - "virtual_station_interface_id": { - "type": "short" - }, - "virtual_station_interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_station_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_station_uuid": { - "type": "short" - }, - "vlan_id": { - "type": "long" - }, - "vpn_identifier": { - "type": "short" - }, - "vr_fname": { - "ignore_above": 1024, - "type": "keyword" - }, - "wlan_channel_id": { - "type": "short" - }, - "wlan_ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "wtp_mac_address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "interface": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "nginx": { - "properties": { - "error": { - "properties": { - "connection_id": { - "type": "long" - } - } - }, - "ingress_controller": { - "properties": { - "http": { - "properties": { - "request": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "time": { - "type": "double" - } - } - } - } - }, - "upstream": { - "properties": { - "alternative_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "response": { - "properties": { - "length": { - "type": "long" - }, - "length_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - }, - "status_code_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "type": "double" - }, - "time_list": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "upstream_address_list": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "o365": { - "properties": { - "audit": { - "properties": { - "AADGroupId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ActorContextId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ActorIpAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "ActorUserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ActorYammerUserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AlertEntityId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AlertId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AlertType": { - "ignore_above": 1024, - "type": "keyword" - }, - "AppId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ApplicationDisplayName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ApplicationId": { - "ignore_above": 1024, - "type": "keyword" - }, - "AzureActiveDirectoryEventType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Category": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientAppId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientIP": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientIPAddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "ClientInfoString": { - "ignore_above": 1024, - "type": "keyword" - }, - "Comments": { - "norms": false, - "type": "text" - }, - "CommunicationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "CorrelationId": { - "ignore_above": 1024, - "type": "keyword" - }, - "CreationTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "CustomUniqueId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Data": { - "ignore_above": 1024, - "type": "keyword" - }, - "DataType": { - "ignore_above": 1024, - "type": "keyword" - }, - "DoNotDistributeEvent": { - "type": "boolean" - }, - "EntityType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ErrorNumber": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventData": { - "ignore_above": 1024, - "type": "keyword" - }, - "EventSource": { - "ignore_above": 1024, - "type": "keyword" - }, - "ExceptionInfo": { - "properties": { - "*": { - "type": "object" - } - } - }, - "ExchangeMetaData": { - "properties": { - "*": { - "type": "object" - } - } - }, - "ExtendedProperties": { - "properties": { - "*": { - "type": "object" - } - } - }, - "ExternalAccess": { - "ignore_above": 1024, - "type": "keyword" - }, - "FromApp": { - "type": "boolean" - }, - "GroupName": { - "ignore_above": 1024, - "type": "keyword" - }, - "Id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImplicitShare": { - "ignore_above": 1024, - "type": "keyword" - }, - "IncidentId": { - "ignore_above": 1024, - "type": "keyword" - }, - "InterSystemsId": { - "ignore_above": 1024, - "type": "keyword" - }, - "InternalLogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "IntraSystemId": { - "ignore_above": 1024, - "type": "keyword" - }, - "IsDocLib": { - "type": "boolean" - }, - "Item": { - "properties": { - "*": { - "properties": { - "*": { - "type": "object" - } - } - } - } - }, - "ItemCount": { - "type": "long" - }, - "ItemName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ItemType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListBaseTemplateType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListBaseType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListColor": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListIcon": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListItemUniqueId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ListTitle": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonError": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MailboxGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MailboxOwnerMasterAccountSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MailboxOwnerSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "MailboxOwnerUPN": { - "ignore_above": 1024, - "type": "keyword" - }, - "Members": { - "properties": { - "*": { - "type": "object" - } - } - }, - "ModifiedProperties": { - "properties": { - "*": { - "properties": { - "*": { - "type": "object" - } - } - } - } - }, - "Name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ObjectId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "OrganizationId": { - "ignore_above": 1024, - "type": "keyword" - }, - "OrganizationName": { - "ignore_above": 1024, - "type": "keyword" - }, - "OriginatingServer": { - "ignore_above": 1024, - "type": "keyword" - }, - "Parameters": { - "properties": { - "*": { - "type": "object" - } - } - }, - "PolicyId": { - "ignore_above": 1024, - "type": "keyword" - }, - "RecordType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ResultStatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "SensitiveInfoDetectionIsIncluded": { - "ignore_above": 1024, - "type": "keyword" - }, - "SessionId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "SharePointMetaData": { - "properties": { - "*": { - "type": "object" - } - } - }, - "Site": { - "ignore_above": 1024, - "type": "keyword" - }, - "SiteUrl": { - "ignore_above": 1024, - "type": "keyword" - }, - "Source": { - "ignore_above": 1024, - "type": "keyword" - }, - "SourceFileExtension": { - "ignore_above": 1024, - "type": "keyword" - }, - "SourceFileName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SourceRelativeUrl": { - "ignore_above": 1024, - "type": "keyword" - }, - "Status": { - "ignore_above": 1024, - "type": "keyword" - }, - "SupportTicketId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetContextId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserOrGroupName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserOrGroupType": { - "ignore_above": 1024, - "type": "keyword" - }, - "TeamGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "TeamName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TemplateTypeId": { - "ignore_above": 1024, - "type": "keyword" - }, - "UniqueSharingId": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserAgent": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserId": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserKey": { - "ignore_above": 1024, - "type": "keyword" - }, - "UserType": { - "ignore_above": 1024, - "type": "keyword" - }, - "Version": { - "ignore_above": 1024, - "type": "keyword" - }, - "WebId": { - "ignore_above": 1024, - "type": "keyword" - }, - "Workload": { - "ignore_above": 1024, - "type": "keyword" - }, - "YammerNetworkId": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "object_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "okta": { - "properties": { - "actor": { - "properties": { - "alternate_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "authentication_context": { - "properties": { - "authentication_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_step": { - "type": "long" - }, - "credential_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "credential_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "external_session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user_agent": { - "properties": { - "browser": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_user_agent": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "debug_context": { - "properties": { - "debug_data": { - "properties": { - "device_fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_suspected": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "display_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "outcome": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "ip_chain": { - "properties": { - "geographical_context": { - "properties": { - "city": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "geolocation": { - "type": "geo_point" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "security_context": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_proxy": { - "type": "boolean" - }, - "isp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "oracle": { - "properties": { - "database_audit": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "action_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "terminal": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "database": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "entry": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "length": { - "type": "long" - }, - "privilege": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "osquery": { - "properties": { - "result": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "calendar_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "unix_time": { - "type": "long" - } - } - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "panw": { - "properties": { - "panos": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination": { - "properties": { - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "endreason": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flow_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "nat": { - "properties": { - "community_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pcap_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence_number": { - "type": "long" - }, - "source": { - "properties": { - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sub_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pensando": { - "properties": { - "dfw": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "type": "long" - }, - "destination_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_port": { - "type": "long" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "type": "long" - }, - "session_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_port": { - "type": "long" - }, - "timestamp": { - "type": "date" - } - } - } - } - }, - "postgresql": { - "properties": { - "log": { - "properties": { - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_port": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "context": { - "ignore_above": 1024, - "type": "keyword" - }, - "core_id": { - "path": "postgresql.log.session_line_number", - "type": "alias" - }, - "database": { - "ignore_above": 1024, - "type": "keyword" - }, - "detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "properties": { - "code": { - "path": "postgresql.log.sql_state_code", - "type": "alias" - } - } - }, - "hint": { - "ignore_above": 1024, - "type": "keyword" - }, - "internal_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "internal_query_pos": { - "type": "long" - }, - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "query_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "query_pos": { - "type": "long" - }, - "query_step": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_line_number": { - "type": "long" - }, - "session_start_time": { - "type": "date" - }, - "sql_state_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_id": { - "type": "long" - }, - "virtual_transaction_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pgid": { - "type": "long" - }, - "pid": { - "type": "long" - }, - "ppid": { - "type": "long" - }, - "program": { - "ignore_above": 1024, - "type": "keyword" - }, - "start": { - "type": "date" - }, - "thread": { - "properties": { - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - }, - "working_directory": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rabbitmq": { - "properties": { - "log": { - "properties": { - "pid": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "redis": { - "properties": { - "log": { - "properties": { - "role": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slowlog": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "properties": { - "us": { - "type": "long" - } - } - }, - "id": { - "type": "long" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rsa": { - "properties": { - "counters": { - "properties": { - "dclass_c1": { - "type": "long" - }, - "dclass_c1_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_c2": { - "type": "long" - }, - "dclass_c2_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_c3": { - "type": "long" - }, - "dclass_c3_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_r1": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_r1_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_r2": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_r2_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_r3": { - "ignore_above": 1024, - "type": "keyword" - }, - "dclass_r3_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_counter": { - "type": "long" - } - } - }, - "crypto": { - "properties": { - "cert_ca": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_common": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_host_cat": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_host_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_keysize": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "cipher_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "cipher_size_dst": { - "type": "long" - }, - "cipher_size_src": { - "type": "long" - }, - "cipher_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "crypto": { - "ignore_above": 1024, - "type": "keyword" - }, - "d_certauth": { - "ignore_above": 1024, - "type": "keyword" - }, - "https_insact": { - "ignore_above": 1024, - "type": "keyword" - }, - "https_valid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ike": { - "ignore_above": 1024, - "type": "keyword" - }, - "ike_cookie1": { - "ignore_above": 1024, - "type": "keyword" - }, - "ike_cookie2": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "s_certauth": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_ver_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_ver_src": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "db": { - "properties": { - "database": { - "ignore_above": 1024, - "type": "keyword" - }, - "db_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "db_pid": { - "type": "long" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "ignore_above": 1024, - "type": "keyword" - }, - "lread": { - "type": "long" - }, - "lwrite": { - "type": "long" - }, - "permissions": { - "ignore_above": 1024, - "type": "keyword" - }, - "pread": { - "type": "long" - }, - "table_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "transact_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "trans_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "trans_to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "endpoint": { - "properties": { - "host_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry_value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "attachment": { - "ignore_above": 1024, - "type": "keyword" - }, - "binary": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_entropy": { - "type": "double" - }, - "file_vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "filename_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "filename_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "filename_tmp": { - "ignore_above": 1024, - "type": "keyword" - }, - "filesystem": { - "ignore_above": 1024, - "type": "keyword" - }, - "privilege": { - "ignore_above": 1024, - "type": "keyword" - }, - "task_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "healthcare": { - "properties": { - "patient_fname": { - "ignore_above": 1024, - "type": "keyword" - }, - "patient_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "patient_lname": { - "ignore_above": 1024, - "type": "keyword" - }, - "patient_mname": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "identity": { - "properties": { - "accesses": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "dn": { - "ignore_above": 1024, - "type": "keyword" - }, - "dn_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "dn_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "federated_idp": { - "ignore_above": 1024, - "type": "keyword" - }, - "federated_sp": { - "ignore_above": 1024, - "type": "keyword" - }, - "firstname": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "lastname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ldap": { - "ignore_above": 1024, - "type": "keyword" - }, - "ldap_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "ldap_response": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "logon_type_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "middlename": { - "ignore_above": 1024, - "type": "keyword" - }, - "org": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "realm": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_account": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_dept": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_sid_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_sid_src": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "internal": { - "properties": { - "audit_class": { - "ignore_above": 1024, - "type": "keyword" - }, - "cid": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "dead": { - "type": "long" - }, - "device_class": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_ip": { - "type": "ip" - }, - "device_ipv6": { - "type": "ip" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type_id": { - "type": "long" - }, - "did": { - "ignore_above": 1024, - "type": "keyword" - }, - "entropy_req": { - "type": "long" - }, - "entropy_res": { - "type": "long" - }, - "entry": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "feed_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "feed_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "feed_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "forward_ip": { - "type": "ip" - }, - "forward_ipv6": { - "type": "ip" - }, - "hcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "header_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode": { - "type": "long" - }, - "lc_cid": { - "ignore_above": 1024, - "type": "keyword" - }, - "lc_ctime": { - "type": "date" - }, - "level": { - "type": "long" - }, - "mcb_req": { - "type": "long" - }, - "mcb_res": { - "type": "long" - }, - "mcbc_req": { - "type": "long" - }, - "mcbc_res": { - "type": "long" - }, - "medium": { - "type": "long" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "messageid": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_vid": { - "ignore_above": 1024, - "type": "keyword" - }, - "node_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nwe_callback_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_val": { - "ignore_above": 1024, - "type": "keyword" - }, - "parse_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "payload_req": { - "type": "long" - }, - "payload_res": { - "type": "long" - }, - "process_vid_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "process_vid_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_class": { - "ignore_above": 1024, - "type": "keyword" - }, - "rid": { - "type": "long" - }, - "session_split": { - "ignore_above": 1024, - "type": "keyword" - }, - "site": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "sourcefile": { - "ignore_above": 1024, - "type": "keyword" - }, - "statement": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "type": "date" - }, - "ubc_req": { - "type": "long" - }, - "ubc_res": { - "type": "long" - }, - "word": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "investigations": { - "properties": { - "analysis_file": { - "ignore_above": 1024, - "type": "keyword" - }, - "analysis_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "analysis_session": { - "ignore_above": 1024, - "type": "keyword" - }, - "boc": { - "ignore_above": 1024, - "type": "keyword" - }, - "ec_activity": { - "ignore_above": 1024, - "type": "keyword" - }, - "ec_outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "ec_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "ec_theme": { - "ignore_above": 1024, - "type": "keyword" - }, - "eoc": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_cat": { - "type": "long" - }, - "event_cat_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_vcat": { - "ignore_above": 1024, - "type": "keyword" - }, - "inv_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "inv_context": { - "ignore_above": 1024, - "type": "keyword" - }, - "ioc": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "misc": { - "properties": { - "OS": { - "ignore_above": 1024, - "type": "keyword" - }, - "acl_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "acl_op": { - "ignore_above": 1024, - "type": "keyword" - }, - "acl_pos": { - "ignore_above": 1024, - "type": "keyword" - }, - "acl_table": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "admin": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "alarm_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "alarmname": { - "ignore_above": 1024, - "type": "keyword" - }, - "alert_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_object": { - "ignore_above": 1024, - "type": "keyword" - }, - "auditdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "autorun_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "benchmark": { - "ignore_above": 1024, - "type": "keyword" - }, - "bypass": { - "ignore_above": 1024, - "type": "keyword" - }, - "cache": { - "ignore_above": 1024, - "type": "keyword" - }, - "cache_hit": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cc_number": { - "type": "long" - }, - "cefversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfg_attr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfg_obj": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfg_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "change_attrib": { - "ignore_above": 1024, - "type": "keyword" - }, - "change_new": { - "ignore_above": 1024, - "type": "keyword" - }, - "change_old": { - "ignore_above": 1024, - "type": "keyword" - }, - "changes": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "clustermembers": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_acttimeout": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_asn_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_bgpv4nxthop": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_ctr_dst_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_dst_tos": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_dst_vlan": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_engine_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_engine_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_f_switch": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_flowsampid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_flowsampintv": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_flowsampmode": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_inacttimeout": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_inpermbyts": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_inpermpckts": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_invalid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_ip_proto_ver": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_ipv4_ident": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_l_switch": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_log_did": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_log_rid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_max_ttl": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_maxpcktlen": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_min_ttl": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_minpcktlen": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_1": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_10": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_2": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_3": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_4": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_5": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_6": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_7": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_8": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mpls_lbl_9": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mplstoplabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mplstoplabip": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mul_dst_byt": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_mul_dst_pks": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_muligmptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_sampalgo": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_sampint": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_seqctr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_spackets": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_src_tos": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_src_vlan": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_sysuptime": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_template_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_totbytsexp": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_totflowexp": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_totpcktsexp": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_unixnanosecs": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_v6flowlabel": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_v6optheaders": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "comments": { - "ignore_above": 1024, - "type": "keyword" - }, - "comp_class": { - "ignore_above": 1024, - "type": "keyword" - }, - "comp_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "comp_rbytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "comp_sbytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "comp_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "context": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "count": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu": { - "type": "long" - }, - "cpu_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "criticality": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_agency_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_analyzedby": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_av_other": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_av_primary": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_av_secondary": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_bgpv6nxthop": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_bit9status": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_context": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_control": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_datecret": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_dst_tld": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_eth_dst_ven": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_eth_src_ven": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_event_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_filetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_fld": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_if_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_if_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_ip_next_hop": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_ipv4dstpre": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_ipv4srcpre": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_lifetime": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_log_medium": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_loginname": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_modulescore": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_modulesign": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_opswatresult": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_payload": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_registrant": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_registrar": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_represult": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_rpayload": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_sampler_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_sourcemodule": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_streams": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_targetmodule": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_v6nxthop": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_whois_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_yararesult": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "devvendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "distance": { - "ignore_above": 1024, - "type": "keyword" - }, - "doc_number": { - "type": "long" - }, - "dstburb": { - "ignore_above": 1024, - "type": "keyword" - }, - "edomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "edomaub": { - "ignore_above": 1024, - "type": "keyword" - }, - "ein_number": { - "type": "long" - }, - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "euid": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_computer": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_log": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "expected_val": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "facilityname": { - "ignore_above": 1024, - "type": "keyword" - }, - "fcatnum": { - "ignore_above": 1024, - "type": "keyword" - }, - "filter": { - "ignore_above": 1024, - "type": "keyword" - }, - "finterface": { - "ignore_above": 1024, - "type": "keyword" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "forensic_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "found": { - "ignore_above": 1024, - "type": "keyword" - }, - "fresult": { - "type": "long" - }, - "gaddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "group_object": { - "ignore_above": 1024, - "type": "keyword" - }, - "hardware_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id3": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_buddyid": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_buddyname": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_client": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_croomid": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_croomtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_members": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_userid": { - "ignore_above": 1024, - "type": "keyword" - }, - "im_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "inout": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipkt": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipscat": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipspri": { - "ignore_above": 1024, - "type": "keyword" - }, - "job_num": { - "ignore_above": 1024, - "type": "keyword" - }, - "jobname": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "latitude": { - "ignore_above": 1024, - "type": "keyword" - }, - "library": { - "ignore_above": 1024, - "type": "keyword" - }, - "lifetime": { - "type": "long" - }, - "linenum": { - "ignore_above": 1024, - "type": "keyword" - }, - "link": { - "ignore_above": 1024, - "type": "keyword" - }, - "list_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "listnum": { - "ignore_above": 1024, - "type": "keyword" - }, - "load_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "location_floor": { - "ignore_above": 1024, - "type": "keyword" - }, - "location_mark": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_session_id1": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "logid": { - "ignore_above": 1024, - "type": "keyword" - }, - "logip": { - "ignore_above": 1024, - "type": "keyword" - }, - "logname": { - "ignore_above": 1024, - "type": "keyword" - }, - "longitude": { - "ignore_above": 1024, - "type": "keyword" - }, - "lport": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "match": { - "ignore_above": 1024, - "type": "keyword" - }, - "mbug_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_body": { - "ignore_above": 1024, - "type": "keyword" - }, - "misc": { - "ignore_above": 1024, - "type": "keyword" - }, - "misc_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgIdPart1": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgIdPart2": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgIdPart3": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgIdPart4": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netsessid": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - }, - "ntype": { - "ignore_above": 1024, - "type": "keyword" - }, - "num": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "ignore_above": 1024, - "type": "keyword" - }, - "number1": { - "ignore_above": 1024, - "type": "keyword" - }, - "number2": { - "ignore_above": 1024, - "type": "keyword" - }, - "nwwn": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "object": { - "ignore_above": 1024, - "type": "keyword" - }, - "observed_val": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "opkt": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_filter": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_group_object": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_msgid1": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_msgid2": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_result1": { - "ignore_above": 1024, - "type": "keyword" - }, - "param": { - "ignore_above": 1024, - "type": "keyword" - }, - "param_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "param_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_node": { - "ignore_above": 1024, - "type": "keyword" - }, - "password_chg": { - "ignore_above": 1024, - "type": "keyword" - }, - "password_expire": { - "ignore_above": 1024, - "type": "keyword" - }, - "payload_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "payload_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "permgranted": { - "ignore_above": 1024, - "type": "keyword" - }, - "permwanted": { - "ignore_above": 1024, - "type": "keyword" - }, - "pgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "phone": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy": { - "ignore_above": 1024, - "type": "keyword" - }, - "policyUUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_waiver": { - "ignore_above": 1024, - "type": "keyword" - }, - "pool_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pool_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "process_id_val": { - "ignore_above": 1024, - "type": "keyword" - }, - "prog_asp_num": { - "ignore_above": 1024, - "type": "keyword" - }, - "program": { - "ignore_above": 1024, - "type": "keyword" - }, - "real_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "rec_asp_device": { - "ignore_above": 1024, - "type": "keyword" - }, - "rec_asp_num": { - "ignore_above": 1024, - "type": "keyword" - }, - "rec_library": { - "ignore_above": 1024, - "type": "keyword" - }, - "recordnum": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference_id1": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference_id2": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_num": { - "type": "double" - }, - "risk_num_comm": { - "type": "double" - }, - "risk_num_next": { - "type": "double" - }, - "risk_num_sand": { - "type": "double" - }, - "risk_num_static": { - "type": "double" - }, - "risk_suspicious": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_warning": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_template": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sburb": { - "ignore_above": 1024, - "type": "keyword" - }, - "sdomain_fld": { - "ignore_above": 1024, - "type": "keyword" - }, - "search_text": { - "ignore_above": 1024, - "type": "keyword" - }, - "sec": { - "ignore_above": 1024, - "type": "keyword" - }, - "second": { - "ignore_above": 1024, - "type": "keyword" - }, - "sensor": { - "ignore_above": 1024, - "type": "keyword" - }, - "sensorname": { - "ignore_above": 1024, - "type": "keyword" - }, - "seqnum": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "session": { - "ignore_above": 1024, - "type": "keyword" - }, - "sessiontype": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "sigUUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_id": { - "type": "long" - }, - "sig_id1": { - "type": "long" - }, - "sig_id_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sigcat": { - "ignore_above": 1024, - "type": "keyword" - }, - "snmp_oid": { - "ignore_above": 1024, - "type": "keyword" - }, - "snmp_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "space": { - "ignore_above": 1024, - "type": "keyword" - }, - "space1": { - "ignore_above": 1024, - "type": "keyword" - }, - "spi": { - "ignore_above": 1024, - "type": "keyword" - }, - "spi_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "spi_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "sql": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcburb": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcdom": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcservice": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status1": { - "ignore_above": 1024, - "type": "keyword" - }, - "streams": { - "type": "long" - }, - "subcategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "svcno": { - "ignore_above": 1024, - "type": "keyword" - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "tbdstr1": { - "ignore_above": 1024, - "type": "keyword" - }, - "tbdstr2": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags": { - "type": "long" - }, - "terminal": { - "ignore_above": 1024, - "type": "keyword" - }, - "tgtdom": { - "ignore_above": 1024, - "type": "keyword" - }, - "tgtdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "threshold": { - "ignore_above": 1024, - "type": "keyword" - }, - "tos": { - "type": "long" - }, - "trigger_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger_val": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type1": { - "ignore_above": 1024, - "type": "keyword" - }, - "udb_class": { - "ignore_above": 1024, - "type": "keyword" - }, - "url_fld": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_div": { - "ignore_above": 1024, - "type": "keyword" - }, - "userid": { - "ignore_above": 1024, - "type": "keyword" - }, - "username_fld": { - "ignore_above": 1024, - "type": "keyword" - }, - "utcstamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "v_instafname": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "virt_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "virusname": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpnid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vsys": { - "ignore_above": 1024, - "type": "keyword" - }, - "vuln_ref": { - "ignore_above": 1024, - "type": "keyword" - }, - "workspace": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "network": { - "properties": { - "ad_computer_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "alias_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "dinterface": { - "ignore_above": 1024, - "type": "keyword" - }, - "dmask": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_a_record": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_cname_record": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_opcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_ptr_record": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain1": { - "ignore_above": 1024, - "type": "keyword" - }, - "eth_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "eth_type": { - "type": "long" - }, - "faddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "fhost": { - "ignore_above": 1024, - "type": "keyword" - }, - "fport": { - "ignore_above": 1024, - "type": "keyword" - }, - "gateway": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_orig": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_proto": { - "type": "long" - }, - "laddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "lhost": { - "ignore_above": 1024, - "type": "keyword" - }, - "linterface": { - "ignore_above": 1024, - "type": "keyword" - }, - "mask": { - "ignore_above": 1024, - "type": "keyword" - }, - "netname": { - "ignore_above": 1024, - "type": "keyword" - }, - "network_port": { - "type": "long" - }, - "network_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "paddr": { - "type": "ip" - }, - "phost": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "protocol_detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_domain_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "rpayload": { - "ignore_above": 1024, - "type": "keyword" - }, - "sinterface": { - "ignore_above": 1024, - "type": "keyword" - }, - "smask": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "type": "long" - }, - "vlan_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone_src": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "physical": { - "properties": { - "org_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "org_src": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "storage": { - "properties": { - "disk_volume": { - "ignore_above": 1024, - "type": "keyword" - }, - "lun": { - "ignore_above": 1024, - "type": "keyword" - }, - "pwwn": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_source": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "time": { - "properties": { - "date": { - "ignore_above": 1024, - "type": "keyword" - }, - "datetime": { - "ignore_above": 1024, - "type": "keyword" - }, - "day": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration_time": { - "type": "double" - }, - "effective_time": { - "type": "date" - }, - "endtime": { - "type": "date" - }, - "event_queue_time": { - "type": "date" - }, - "event_time": { - "type": "date" - }, - "event_time_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "eventtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "expire_time": { - "type": "date" - }, - "expire_time_str": { - "ignore_above": 1024, - "type": "keyword" - }, - "gmtdate": { - "ignore_above": 1024, - "type": "keyword" - }, - "gmttime": { - "ignore_above": 1024, - "type": "keyword" - }, - "hour": { - "ignore_above": 1024, - "type": "keyword" - }, - "min": { - "ignore_above": 1024, - "type": "keyword" - }, - "month": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_date": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_month": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_time1": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_time2": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_year": { - "ignore_above": 1024, - "type": "keyword" - }, - "process_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "recorded_time": { - "type": "date" - }, - "stamp": { - "type": "date" - }, - "starttime": { - "type": "date" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "tzone": { - "ignore_above": 1024, - "type": "keyword" - }, - "year": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "web": { - "properties": { - "alias_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_asn_dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "cn_rpackets": { - "ignore_above": 1024, - "type": "keyword" - }, - "fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_web_cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_web_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "p_web_referer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "reputation_num": { - "type": "double" - }, - "urlpage": { - "ignore_above": 1024, - "type": "keyword" - }, - "urlroot": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_extension_tmp": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_page": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_ref_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_ref_page": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_ref_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_ref_root": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "wireless": { - "properties": { - "access_point": { - "ignore_above": 1024, - "type": "keyword" - }, - "wlan_channel": { - "type": "long" - }, - "wlan_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "wlan_ssid": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "santa": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "decision": { - "ignore_above": 1024, - "type": "keyword" - }, - "disk": { - "properties": { - "bsdname": { - "ignore_above": 1024, - "type": "keyword" - }, - "bus": { - "ignore_above": 1024, - "type": "keyword" - }, - "fs": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "volume": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "snyk": { - "properties": { - "audit": { - "properties": { - "content": { - "type": "flattened" - }, - "org_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "project_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "projects": { - "type": "flattened" - }, - "related": { - "properties": { - "projects": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerabilities": { - "properties": { - "credit": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss3": { - "ignore_above": 1024, - "type": "keyword" - }, - "disclosure_time": { - "type": "date" - }, - "exploit_maturity": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifiers": { - "properties": { - "alternative": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwe": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "introduced_date": { - "type": "date" - }, - "is_fixed": { - "type": "boolean" - }, - "is_ignored": { - "type": "boolean" - }, - "is_patchable": { - "type": "boolean" - }, - "is_patched": { - "type": "boolean" - }, - "is_pinnable": { - "type": "boolean" - }, - "is_upgradable": { - "type": "boolean" - }, - "jira_issue_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_severity": { - "type": "long" - }, - "package": { - "ignore_above": 1024, - "type": "keyword" - }, - "package_manager": { - "ignore_above": 1024, - "type": "keyword" - }, - "patches": { - "type": "flattened" - }, - "priority_score": { - "type": "long" - }, - "publication_time": { - "type": "date" - }, - "reachability": { - "ignore_above": 1024, - "type": "keyword" - }, - "semver": { - "type": "flattened" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "unique_severities_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "sophos": { - "properties": { - "xg": { - "properties": { - "Configuration": { - "type": "float" - }, - "FTP_direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "FTP_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "Mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "PHPSESSID": { - "ignore_above": 1024, - "type": "keyword" - }, - "Reports": { - "type": "float" - }, - "Signature": { - "type": "float" - }, - "SysLog_SERVER_NAME": { - "ignore_above": 1024, - "type": "keyword" - }, - "Temp": { - "type": "float" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "activityname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ap": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_is_cloud": { - "ignore_above": 1024, - "type": "keyword" - }, - "appfilter_policy_id": { - "type": "long" - }, - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_filter_policy": { - "type": "long" - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_risk": { - "ignore_above": 1024, - "type": "keyword" - }, - "application_technology": { - "ignore_above": 1024, - "type": "keyword" - }, - "appresolvedby": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_client": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_mechanism": { - "ignore_above": 1024, - "type": "keyword" - }, - "av_policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "backup_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "branch_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "category_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_host_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_physical_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "clients_conn_ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "collisions": { - "type": "long" - }, - "con_id": { - "type": "long" - }, - "conn_id": { - "type": "long" - }, - "connectionname": { - "ignore_above": 1024, - "type": "keyword" - }, - "connectiontype": { - "ignore_above": 1024, - "type": "keyword" - }, - "connevent": { - "ignore_above": 1024, - "type": "keyword" - }, - "connid": { - "ignore_above": 1024, - "type": "keyword" - }, - "contenttype": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_match": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_prefix": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_suffix": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "type": "date" - }, - "destinationip": { - "type": "ip" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dictionary_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dir_disp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainname": { - "ignore_above": 1024, - "type": "keyword" - }, - "download_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "download_file_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_country_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_domainname": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_ip": { - "type": "ip" - }, - "dst_port": { - "type": "long" - }, - "dstdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstzone": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstzonetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "email_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "ep_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "eventid": { - "ignore_above": 1024, - "type": "keyword" - }, - "eventtime": { - "type": "date" - }, - "eventtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "exceptions": { - "ignore_above": 1024, - "type": "keyword" - }, - "execution_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "extra": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_size": { - "type": "long" - }, - "filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "filepath": { - "ignore_above": 1024, - "type": "keyword" - }, - "filesize": { - "type": "long" - }, - "free": { - "type": "long" - }, - "from_email_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "ftpcommand": { - "ignore_above": 1024, - "type": "keyword" - }, - "fw_rule_id": { - "type": "long" - }, - "hb_health": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "httpresponsecode": { - "type": "long" - }, - "iap": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "idle_cpu": { - "type": "float" - }, - "idp_policy_id": { - "type": "long" - }, - "idp_policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "in_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipaddress": { - "ignore_above": 1024, - "type": "keyword" - }, - "ips_policy_id": { - "type": "long" - }, - "localgateway": { - "ignore_above": 1024, - "type": "keyword" - }, - "localnetwork": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_component": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_subtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "login_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "mailid": { - "ignore_above": 1024, - "type": "keyword" - }, - "mailsize": { - "type": "long" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "newversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "out_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "override_authorizer": { - "ignore_above": 1024, - "type": "keyword" - }, - "override_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "override_token": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "quarantine": { - "ignore_above": 1024, - "type": "keyword" - }, - "quarantine_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "querystring": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "received_pkts": { - "type": "long" - }, - "receiveddrops": { - "type": "long" - }, - "receivederrors": { - "ignore_above": 1024, - "type": "keyword" - }, - "receivedkbits": { - "type": "long" - }, - "recv_bytes": { - "type": "long" - }, - "red_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "referer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "remotenetwork": { - "ignore_above": 1024, - "type": "keyword" - }, - "responsetime": { - "type": "long" - }, - "rule_priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "sent_bytes": { - "type": "long" - }, - "sent_pkts": { - "type": "long" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "sessionid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1sum": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "site_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceip": { - "type": "ip" - }, - "spamaction": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_country_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_domainname": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_ip": { - "type": "ip" - }, - "src_mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_port": { - "type": "long" - }, - "srczone": { - "ignore_above": 1024, - "type": "keyword" - }, - "srczonetype": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "start_time": { - "type": "date" - }, - "starttime": { - "type": "date" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "system_cpu": { - "type": "float" - }, - "target": { - "ignore_above": 1024, - "type": "keyword" - }, - "threatname": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "to_email_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_memory": { - "type": "long" - }, - "trans_dst_ip": { - "type": "ip" - }, - "trans_dst_port": { - "type": "long" - }, - "trans_src_ ip": { - "type": "ip" - }, - "trans_src_port": { - "type": "long" - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "transactionid": { - "ignore_above": 1024, - "type": "keyword" - }, - "transmitteddrops": { - "type": "long" - }, - "transmittederrors": { - "ignore_above": 1024, - "type": "keyword" - }, - "transmittedkbits": { - "type": "long" - }, - "unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "updatedip": { - "type": "ip" - }, - "upload_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "upload_file_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "used": { - "type": "long" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_cpu": { - "type": "float" - }, - "user_gp": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "users": { - "ignore_above": 1024, - "type": "keyword" - }, - "vconn_id": { - "type": "long" - }, - "virus": { - "ignore_above": 1024, - "type": "keyword" - }, - "website": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "stream": { - "ignore_above": 1024, - "type": "keyword" - }, - "suricata": { - "properties": { - "eve": { - "properties": { - "alert": { - "properties": { - "action": { - "path": "event.outcome", - "type": "alias" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "type": "long" - }, - "metadata": { - "type": "flattened" - }, - "rev": { - "type": "long" - }, - "severity": { - "path": "event.severity", - "type": "alias" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_id": { - "type": "long" - } - } - }, - "app_proto": { - "path": "network.protocol", - "type": "alias" - }, - "app_proto_expected": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_orig": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_tc": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_proto_ts": { - "ignore_above": 1024, - "type": "keyword" - }, - "dest_ip": { - "path": "destination.ip", - "type": "alias" - }, - "dest_port": { - "path": "destination.port", - "type": "alias" - }, - "dns": { - "properties": { - "id": { - "type": "long" - }, - "rcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrname": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "tx_id": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileinfo": { - "properties": { - "filename": { - "path": "file.path", - "type": "alias" - }, - "gaps": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "path": "file.size", - "type": "alias" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "stored": { - "type": "boolean" - }, - "tx_id": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "age": { - "type": "long" - }, - "alerted": { - "type": "boolean" - }, - "bytes_toclient": { - "path": "destination.bytes", - "type": "alias" - }, - "bytes_toserver": { - "path": "source.bytes", - "type": "alias" - }, - "pkts_toclient": { - "path": "destination.packets", - "type": "alias" - }, - "pkts_toserver": { - "path": "source.packets", - "type": "alias" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "start": { - "path": "event.start", - "type": "alias" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flow_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "hostname": { - "path": "url.domain", - "type": "alias" - }, - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_method": { - "path": "http.request.method", - "type": "alias" - }, - "http_refer": { - "path": "http.request.referrer", - "type": "alias" - }, - "http_user_agent": { - "path": "user_agent.original", - "type": "alias" - }, - "length": { - "path": "http.response.body.bytes", - "type": "alias" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "redirect": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "path": "http.response.status_code", - "type": "alias" - }, - "url": { - "path": "url.original", - "type": "alias" - } - } - }, - "icmp_code": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "in_iface": { - "ignore_above": 1024, - "type": "keyword" - }, - "pcap_cnt": { - "type": "long" - }, - "proto": { - "path": "network.transport", - "type": "alias" - }, - "smtp": { - "properties": { - "helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcpt_to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "src_ip": { - "path": "source.ip", - "type": "alias" - }, - "src_port": { - "path": "source.port", - "type": "alias" - }, - "ssh": { - "properties": { - "client": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "stats": { - "properties": { - "app_layer": { - "properties": { - "flow": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "failed_tcp": { - "type": "long" - }, - "failed_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "imap": { - "type": "long" - }, - "msn": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - }, - "tx": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - } - } - }, - "capture": { - "properties": { - "kernel_drops": { - "type": "long" - }, - "kernel_ifdrops": { - "type": "long" - }, - "kernel_packets": { - "type": "long" - } - } - }, - "decoder": { - "properties": { - "avg_pkt_size": { - "type": "long" - }, - "bytes": { - "type": "long" - }, - "dce": { - "properties": { - "pkt_too_small": { - "type": "long" - } - } - }, - "erspan": { - "type": "long" - }, - "ethernet": { - "type": "long" - }, - "gre": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "ieee8021ah": { - "type": "long" - }, - "invalid": { - "type": "long" - }, - "ipraw": { - "properties": { - "invalid_ip_version": { - "type": "long" - } - } - }, - "ipv4": { - "type": "long" - }, - "ipv4_in_ipv6": { - "type": "long" - }, - "ipv6": { - "type": "long" - }, - "ipv6_in_ipv6": { - "type": "long" - }, - "ltnull": { - "properties": { - "pkt_too_small": { - "type": "long" - }, - "unsupported_type": { - "type": "long" - } - } - }, - "max_pkt_size": { - "type": "long" - }, - "mpls": { - "type": "long" - }, - "null": { - "type": "long" - }, - "pkts": { - "type": "long" - }, - "ppp": { - "type": "long" - }, - "pppoe": { - "type": "long" - }, - "raw": { - "type": "long" - }, - "sctp": { - "type": "long" - }, - "sll": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "teredo": { - "type": "long" - }, - "udp": { - "type": "long" - }, - "vlan": { - "type": "long" - }, - "vlan_qinq": { - "type": "long" - } - } - }, - "defrag": { - "properties": { - "ipv4": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "max_frag_hits": { - "type": "long" - } - } - }, - "detect": { - "properties": { - "alert": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "memcap_global": { - "type": "long" - }, - "memcap_state": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "file_store": { - "properties": { - "open_files": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "emerg_mode_entered": { - "type": "long" - }, - "emerg_mode_over": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "spare": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "tcp_reuse": { - "type": "long" - }, - "udp": { - "type": "long" - } - } - }, - "flow_mgr": { - "properties": { - "bypassed_pruned": { - "type": "long" - }, - "closed_pruned": { - "type": "long" - }, - "est_pruned": { - "type": "long" - }, - "flows_checked": { - "type": "long" - }, - "flows_notimeout": { - "type": "long" - }, - "flows_removed": { - "type": "long" - }, - "flows_timeout": { - "type": "long" - }, - "flows_timeout_inuse": { - "type": "long" - }, - "new_pruned": { - "type": "long" - }, - "rows_busy": { - "type": "long" - }, - "rows_checked": { - "type": "long" - }, - "rows_empty": { - "type": "long" - }, - "rows_maxlen": { - "type": "long" - }, - "rows_skipped": { - "type": "long" - } - } - }, - "http": { - "properties": { - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "insert_data_normal_fail": { - "type": "long" - }, - "insert_data_overlap_fail": { - "type": "long" - }, - "insert_list_fail": { - "type": "long" - }, - "invalid_checksum": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "no_flow": { - "type": "long" - }, - "overlap": { - "type": "long" - }, - "overlap_diff_data": { - "type": "long" - }, - "pseudo": { - "type": "long" - }, - "pseudo_failed": { - "type": "long" - }, - "reassembly_gap": { - "type": "long" - }, - "reassembly_memuse": { - "type": "long" - }, - "rst": { - "type": "long" - }, - "segment_memcap_drop": { - "type": "long" - }, - "sessions": { - "type": "long" - }, - "ssn_memcap_drop": { - "type": "long" - }, - "stream_depth_reached": { - "type": "long" - }, - "syn": { - "type": "long" - }, - "synack": { - "type": "long" - } - } - }, - "uptime": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "ack": { - "type": "boolean" - }, - "fin": { - "type": "boolean" - }, - "psh": { - "type": "boolean" - }, - "rst": { - "type": "boolean" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "syn": { - "type": "boolean" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_tc": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_ts": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tls": { - "properties": { - "fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuerdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ja3s": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "notafter": { - "type": "date" - }, - "notbefore": { - "type": "date" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_resumed": { - "type": "boolean" - }, - "sni": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tx_id": { - "type": "long" - } - } - } - } - }, - "syslog": { - "properties": { - "facility": { - "type": "long" - }, - "facility_label": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "severity_label": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "properties": { - "auth": { - "properties": { - "ssh": { - "properties": { - "dropped_ip": { - "type": "ip" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sudo": { - "properties": { - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "pwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "useradd": { - "properties": { - "home": { - "ignore_above": 1024, - "type": "keyword" - }, - "shell": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat": { - "properties": { - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "threatintel": { - "properties": { - "abusemalware": { - "properties": { - "file_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "urlhaus_download": { - "ignore_above": 1024, - "type": "keyword" - }, - "virustotal": { - "properties": { - "link": { - "ignore_above": 1024, - "type": "keyword" - }, - "percent": { - "type": "float" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "abuseurl": { - "properties": { - "blacklists": { - "properties": { - "spamhaus_dbl": { - "ignore_above": 1024, - "type": "keyword" - }, - "surbl": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "larted": { - "type": "boolean" - }, - "reporter": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat": { - "ignore_above": 1024, - "type": "keyword" - }, - "url_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "urlhaus_reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "anomali": { - "properties": { - "content": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "ignore_above": 1024, - "type": "keyword" - }, - "modified": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_marking_refs": { - "ignore_above": 1024, - "type": "keyword" - }, - "pattern": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "valid_from": { - "type": "date" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "imphash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "strings": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "misp": { - "properties": { - "attribute": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "comment": { - "ignore_above": 1024, - "type": "keyword" - }, - "deleted": { - "type": "boolean" - }, - "disable_correlation": { - "type": "boolean" - }, - "distribution": { - "type": "long" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_relation": { - "ignore_above": 1024, - "type": "keyword" - }, - "sharing_group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "to_ids": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attribute_count": { - "type": "long" - }, - "date": { - "type": "date" - }, - "disable_correlation": { - "type": "boolean" - }, - "distribution": { - "ignore_above": 1024, - "type": "keyword" - }, - "extends_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "info": { - "ignore_above": 1024, - "type": "keyword" - }, - "locked": { - "type": "boolean" - }, - "org": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "local": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "org_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "orgc": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "local": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "orgc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "proposal_email_lock": { - "type": "boolean" - }, - "publish_timestamp": { - "type": "date" - }, - "published": { - "type": "boolean" - }, - "sharing_group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_level_id": { - "type": "long" - }, - "timestamp": { - "type": "date" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "otx": { - "properties": { - "content": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "timeseries": { - "properties": { - "instance": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "traefik": { - "properties": { - "access": { - "properties": { - "backend_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "frontend_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "geoip": { - "properties": { - "city_name": { - "path": "source.geo.city_name", - "type": "alias" - }, - "continent_name": { - "path": "source.geo.continent_name", - "type": "alias" - }, - "country_iso_code": { - "path": "source.geo.country_iso_code", - "type": "alias" - }, - "location": { - "path": "source.geo.location", - "type": "alias" - }, - "region_iso_code": { - "path": "source.geo.region_iso_code", - "type": "alias" - }, - "region_name": { - "path": "source.geo.region_name", - "type": "alias" - } - } - }, - "request_count": { - "type": "long" - }, - "user_agent": { - "properties": { - "device": { - "path": "user_agent.device.name", - "type": "alias" - }, - "name": { - "path": "user_agent.name", - "type": "alias" - }, - "original": { - "path": "user_agent.original", - "type": "alias" - }, - "os": { - "path": "user_agent.os.full_name", - "type": "alias" - }, - "os_name": { - "path": "user_agent.os.name", - "type": "alias" - } - } - }, - "user_identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "audit": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "filesystem": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "owner": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "saved": { - "properties": { - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "terminal": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zeek": { - "properties": { - "capture_loss": { - "properties": { - "acks": { - "type": "long" - }, - "gaps": { - "type": "long" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "percent_lost": { - "type": "double" - }, - "ts_delta": { - "type": "long" - } - } - }, - "connection": { - "properties": { - "history": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp": { - "properties": { - "code": { - "type": "long" - }, - "type": { - "type": "long" - } - } - }, - "inner_vlan": { - "type": "long" - }, - "local_orig": { - "type": "boolean" - }, - "local_resp": { - "type": "boolean" - }, - "missed_bytes": { - "type": "long" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "type": "long" - } - } - }, - "dce_rpc": { - "properties": { - "endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "named_pipe": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "rtt": { - "type": "long" - } - } - }, - "dhcp": { - "properties": { - "address": { - "properties": { - "assigned": { - "type": "ip" - }, - "client": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "requested": { - "type": "ip" - }, - "server": { - "type": "ip" - } - } - }, - "client_fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "double" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "properties": { - "circuit": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscriber": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lease_time": { - "type": "long" - }, - "msg": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "type": "ip" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "types": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "software": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dnp3": { - "properties": { - "function": { - "properties": { - "reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "AA": { - "type": "boolean" - }, - "RA": { - "type": "boolean" - }, - "RD": { - "type": "boolean" - }, - "TC": { - "type": "boolean" - }, - "TTLs": { - "type": "double" - }, - "answers": { - "ignore_above": 1024, - "type": "keyword" - }, - "qclass": { - "type": "long" - }, - "qclass_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "qtype": { - "type": "long" - }, - "qtype_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "query": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcode": { - "type": "long" - }, - "rcode_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rejected": { - "type": "boolean" - }, - "rtt": { - "type": "double" - }, - "saw_query": { - "type": "boolean" - }, - "saw_reply": { - "type": "boolean" - }, - "total_answers": { - "type": "long" - }, - "total_replies": { - "type": "long" - }, - "trans_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dpd": { - "properties": { - "analyzer": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_segment": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "files": { - "properties": { - "analyzers": { - "ignore_above": 1024, - "type": "keyword" - }, - "depth": { - "type": "long" - }, - "duration": { - "type": "double" - }, - "entropy": { - "type": "double" - }, - "extracted": { - "ignore_above": 1024, - "type": "keyword" - }, - "extracted_cutoff": { - "type": "boolean" - }, - "extracted_size": { - "type": "long" - }, - "filename": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_orig": { - "type": "boolean" - }, - "local_orig": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "missing_bytes": { - "type": "long" - }, - "overflow_bytes": { - "type": "long" - }, - "parent_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rx_host": { - "type": "ip" - }, - "seen_bytes": { - "type": "long" - }, - "session_ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "timedout": { - "type": "boolean" - }, - "total_bytes": { - "type": "long" - }, - "tx_host": { - "type": "ip" - } - } - }, - "ftp": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "capture_password": { - "type": "boolean" - }, - "cmdarg": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "seq": { - "type": "long" - } - } - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_channel": { - "properties": { - "originating_host": { - "type": "ip" - }, - "passive": { - "type": "boolean" - }, - "response_host": { - "type": "ip" - }, - "response_port": { - "type": "long" - } - } - }, - "file": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "last_auth_requested": { - "ignore_above": 1024, - "type": "keyword" - }, - "passive": { - "type": "boolean" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "pending_commands": { - "type": "long" - }, - "reply": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http": { - "properties": { - "captured_password": { - "type": "boolean" - }, - "client_header_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "info_code": { - "type": "long" - }, - "info_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_filenames": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "orig_mime_depth": { - "type": "long" - }, - "orig_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxied": { - "ignore_above": 1024, - "type": "keyword" - }, - "range_request": { - "type": "boolean" - }, - "resp_filenames": { - "ignore_above": 1024, - "type": "keyword" - }, - "resp_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "resp_mime_depth": { - "type": "long" - }, - "resp_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_header_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "trans_depth": { - "type": "long" - } - } - }, - "intel": { - "properties": { - "file_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "matched": { - "ignore_above": 1024, - "type": "keyword" - }, - "seen": { - "properties": { - "conn": { - "ignore_above": 1024, - "type": "keyword" - }, - "f": { - "type": "object" - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator": { - "ignore_above": 1024, - "type": "keyword" - }, - "indicator_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "where": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sources": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "irc": { - "properties": { - "addl": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "dcc": { - "properties": { - "file": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "nick": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kerberos": { - "properties": { - "cert": { - "properties": { - "client": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "error": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "forwardable": { - "type": "boolean" - }, - "renewable": { - "type": "boolean" - }, - "request_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - }, - "ticket": { - "properties": { - "auth": { - "ignore_above": 1024, - "type": "keyword" - }, - "new": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "valid": { - "properties": { - "days": { - "type": "long" - }, - "from": { - "type": "date" - }, - "until": { - "type": "date" - } - } - } - } - }, - "modbus": { - "properties": { - "exception": { - "ignore_above": 1024, - "type": "keyword" - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - }, - "track_address": { - "type": "long" - } - } - }, - "mysql": { - "properties": { - "arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "cmd": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "ignore_above": 1024, - "type": "keyword" - }, - "rows": { - "type": "long" - }, - "success": { - "type": "boolean" - } - } - }, - "notice": { - "properties": { - "actions": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped": { - "type": "boolean" - }, - "email_body_sections": { - "norms": false, - "type": "text" - }, - "email_delay_tokens": { - "ignore_above": 1024, - "type": "keyword" - }, - "false": { - "type": "long" - }, - "ffile": { - "properties": { - "total_bytes": { - "type": "long" - } - } - }, - "file": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_orig": { - "type": "boolean" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "missing_bytes": { - "type": "long" - }, - "overflow_bytes": { - "type": "long" - }, - "parent_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "seen_bytes": { - "type": "long" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "note": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_descr": { - "norms": false, - "type": "text" - }, - "peer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub": { - "ignore_above": 1024, - "type": "keyword" - }, - "suppress_for": { - "type": "double" - } - } - }, - "ntlm": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "properties": { - "name": { - "properties": { - "dns": { - "ignore_above": 1024, - "type": "keyword" - }, - "netbios": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "success": { - "type": "boolean" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ocsp": { - "properties": { - "file_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "revoke": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "type": "date" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "update": { - "properties": { - "next": { - "type": "date" - }, - "this": { - "type": "date" - } - } - } - } - }, - "pe": { - "properties": { - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "compile_time": { - "type": "date" - }, - "has_cert_table": { - "type": "boolean" - }, - "has_debug_data": { - "type": "boolean" - }, - "has_export_table": { - "type": "boolean" - }, - "has_import_table": { - "type": "boolean" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_64bit": { - "type": "boolean" - }, - "is_exe": { - "type": "boolean" - }, - "machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "ignore_above": 1024, - "type": "keyword" - }, - "section_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "subsystem": { - "ignore_above": 1024, - "type": "keyword" - }, - "uses_aslr": { - "type": "boolean" - }, - "uses_code_integrity": { - "type": "boolean" - }, - "uses_dep": { - "type": "boolean" - }, - "uses_seh": { - "type": "boolean" - } - } - }, - "radius": { - "properties": { - "connect_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "framed_addr": { - "type": "ip" - }, - "logged": { - "type": "boolean" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "reply_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rdp": { - "properties": { - "cert": { - "properties": { - "count": { - "type": "long" - }, - "permanent": { - "type": "boolean" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "desktop": { - "properties": { - "color_depth": { - "ignore_above": 1024, - "type": "keyword" - }, - "height": { - "type": "long" - }, - "width": { - "type": "long" - } - } - }, - "done": { - "type": "boolean" - }, - "encryption": { - "properties": { - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "keyboard_layout": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl": { - "type": "boolean" - } - } - }, - "rfb": { - "properties": { - "auth": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - } - } - }, - "desktop_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "height": { - "type": "long" - }, - "share_flag": { - "type": "boolean" - }, - "version": { - "properties": { - "client": { - "properties": { - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "width": { - "type": "long" - } - } - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature": { - "properties": { - "event_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_count": { - "type": "long" - }, - "note": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_count": { - "type": "long" - }, - "sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sip": { - "properties": { - "call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "body_length": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body_length": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sequence": { - "properties": { - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "status": { - "properties": { - "code": { - "type": "long" - }, - "msg": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_depth": { - "type": "long" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "warning": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_cmd": { - "properties": { - "argument": { - "ignore_above": 1024, - "type": "keyword" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "rx": { - "type": "ip" - }, - "tx": { - "type": "ip" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rtt": { - "type": "double" - }, - "smb1_offered_dialects": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb2_offered_dialects": { - "type": "long" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_command": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree": { - "ignore_above": 1024, - "type": "keyword" - }, - "tree_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_files": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "fid": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "previous_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "times": { - "properties": { - "accessed": { - "type": "date" - }, - "changed": { - "type": "date" - }, - "created": { - "type": "date" - }, - "modified": { - "type": "date" - } - } - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smb_mapping": { - "properties": { - "native_file_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "ignore_above": 1024, - "type": "keyword" - }, - "share_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "smtp": { - "properties": { - "cc": { - "ignore_above": 1024, - "type": "keyword" - }, - "date": { - "type": "date" - }, - "first_received": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "has_client_activity": { - "type": "boolean" - }, - "helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "in_reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_webmail": { - "type": "boolean" - }, - "last_reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "mail_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "type": "ip" - }, - "process_received_from": { - "type": "boolean" - }, - "rcpt_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "reply_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "second_received": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls": { - "type": "boolean" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_depth": { - "type": "long" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "x_originating_ip": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "snmp": { - "properties": { - "community": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_string": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "double" - }, - "get": { - "properties": { - "bulk_requests": { - "type": "long" - }, - "requests": { - "type": "long" - }, - "responses": { - "type": "long" - } - } - }, - "set": { - "properties": { - "requests": { - "type": "long" - } - } - }, - "up_since": { - "type": "date" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "socks": { - "properties": { - "bound": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "capture_password": { - "type": "boolean" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "ssh": { - "properties": { - "algorithm": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "compression": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "key_exchange": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "auth": { - "properties": { - "attempts": { - "type": "long" - }, - "success": { - "type": "boolean" - } - } - }, - "client": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "ssl": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "last_alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "validation": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "stats": { - "properties": { - "bytes": { - "properties": { - "received": { - "type": "long" - } - } - }, - "connections": { - "properties": { - "icmp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "udp": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - } - } - }, - "dns_requests": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "events": { - "properties": { - "processed": { - "type": "long" - }, - "queued": { - "type": "long" - } - } - }, - "files": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "memory": { - "type": "long" - }, - "packets": { - "properties": { - "dropped": { - "type": "long" - }, - "processed": { - "type": "long" - }, - "received": { - "type": "long" - } - } - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "reassembly_size": { - "properties": { - "file": { - "type": "long" - }, - "frag": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "unknown": { - "type": "long" - } - } - }, - "timers": { - "properties": { - "active": { - "type": "long" - }, - "count": { - "type": "long" - } - } - }, - "timestamp_lag": { - "type": "long" - } - } - }, - "syslog": { - "properties": { - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tunnel": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "weird": { - "properties": { - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice": { - "type": "boolean" - }, - "peer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "basic_constraints": { - "properties": { - "certificate_authority": { - "type": "boolean" - }, - "path_length": { - "type": "long" - } - } - }, - "certificate": { + "file": { "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "exponent": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "key": { - "properties": { - "algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { + "hash": { "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { + "md5": { "ignore_above": 1024, "type": "keyword" }, - "organization": { + "sha1": { "ignore_above": 1024, "type": "keyword" }, - "organizational_unit": { + "sha256": { "ignore_above": 1024, "type": "keyword" }, - "state": { + "sha512": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "valid": { - "properties": { - "from": { - "type": "date" - }, - "until": { - "type": "date" - } - } - }, - "version": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_cert": { - "type": "boolean" - }, - "san": { - "properties": { - "dns": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "other_fields": { - "type": "boolean" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "zoom": { - "properties": { - "account": { - "properties": { - "account_alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "account_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "account_support_email": { - "ignore_above": 1024, - "type": "keyword" - }, - "account_support_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner_email": { - "ignore_above": 1024, - "type": "keyword" - }, - "owner_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "chat_channel": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "chat_message": { - "properties": { - "channel_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "contact_email": { - "ignore_above": 1024, - "type": "keyword" - }, - "contact_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "creation_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "master_account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "meeting": { - "properties": { - "duration": { - "type": "long" - }, - "host_id": { - "ignore_above": 1024, - "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "imphash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "id": { + "first_seen": { "ignore_above": 1024, "type": "keyword" }, - "issues": { - "ignore_above": 1024, - "type": "keyword" + "geo": { + "properties": { + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } }, - "password": { - "ignore_above": 1024, - "type": "keyword" + "ip": { + "type": "ip" }, - "start_time": { + "last_seen": { "type": "date" }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "topic": { - "ignore_above": 1024, - "type": "keyword" + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "type": { + "module": { "ignore_above": 1024, "type": "keyword" }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "old_values": { - "type": "flattened" - }, - "operator": { - "ignore_above": 1024, - "type": "keyword" - }, - "operator_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "participant": { - "properties": { - "id": { + "port": { + "type": "long" + }, + "provider": { "ignore_above": 1024, "type": "keyword" }, - "join_time": { - "type": "date" - }, - "leave_time": { - "type": "date" - }, - "sharing_details": { + "registry": { "properties": { - "content": { - "ignore_above": 1024, - "type": "keyword" - }, - "date_time": { - "ignore_above": 1024, - "type": "keyword" + "data": { + "properties": { + "strings": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "file_link": { + "key": { "ignore_above": 1024, "type": "keyword" }, - "link_source": { + "path": { "ignore_above": 1024, "type": "keyword" }, - "source": { + "value": { "ignore_above": 1024, "type": "keyword" } } }, - "user_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "phone": { - "properties": { - "answer_start_time": { - "type": "date" + "scanner_stats": { + "type": "long" }, - "call_end_time": { - "type": "date" + "sightings": { + "type": "long" }, - "call_id": { + "type": { "ignore_above": 1024, "type": "keyword" }, - "callee": { + "url": { "properties": { - "device_type": { + "domain": { "ignore_above": 1024, "type": "keyword" }, - "extension_number": { + "extension": { "ignore_above": 1024, "type": "keyword" }, - "extension_type": { + "fragment": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "full": { "ignore_above": 1024, "type": "keyword" }, - "name": { + "original": { "ignore_above": 1024, "type": "keyword" }, - "number_type": { + "password": { "ignore_above": 1024, "type": "keyword" }, - "phone_number": { + "path": { "ignore_above": 1024, "type": "keyword" }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" + "port": { + "type": "long" }, - "user_id": { + "query": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "caller": { - "properties": { - "device_type": { + }, + "registered_domain": { "ignore_above": 1024, "type": "keyword" }, - "extension_number": { + "scheme": { "ignore_above": 1024, "type": "keyword" }, - "extension_type": { + "subdomain": { "ignore_above": 1024, "type": "keyword" }, - "id": { + "top_level_domain": { "ignore_above": 1024, "type": "keyword" }, - "name": { + "username": { "ignore_above": 1024, "type": "keyword" - }, - "number_type": { + } + } + }, + "x509": { + "properties": { + "alternative_names": { "ignore_above": 1024, "type": "keyword" }, - "phone_number": { + "issuer": { "ignore_above": 1024, "type": "keyword" }, - "timezone": { + "serial_number": { "ignore_above": 1024, "type": "keyword" }, - "user_id": { + "subject": { "ignore_above": 1024, "type": "keyword" } } - }, - "connected_start_time": { - "type": "date" - }, - "date_time": { - "type": "date" - }, - "download_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ringing_start_time": { - "type": "date" - }, - "user_id": { - "ignore_above": 1024, - "type": "keyword" } } }, - "recording": { + "misp": { "properties": { - "duration": { - "type": "long" - }, - "host_email": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "recording_count": { - "type": "long" - }, - "recording_file": { + "attribute": { "properties": { - "recording_end": { - "type": "date" + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "deleted": { + "type": "boolean" + }, + "disable_correlation": { + "type": "boolean" + }, + "distribution": { + "type": "long" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_relation": { + "ignore_above": 1024, + "type": "keyword" + }, + "sharing_group_id": { + "ignore_above": 1024, + "type": "keyword" }, - "recording_start": { + "timestamp": { "type": "date" + }, + "to_ids": { + "type": "boolean" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } } }, - "share_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "start_time": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "topic": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_size": { + "attribute_count": { "type": "long" }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registrant": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "city": { - "ignore_above": 1024, - "type": "keyword" - }, - "comments": { - "ignore_above": 1024, - "type": "keyword" + "date": { + "type": "date" }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "disable_correlation": { + "type": "boolean" }, - "email": { + "distribution": { "ignore_above": 1024, "type": "keyword" }, - "first_name": { + "extends_uuid": { "ignore_above": 1024, "type": "keyword" }, @@ -24773,234 +691,91 @@ "ignore_above": 1024, "type": "keyword" }, - "industry": { - "ignore_above": 1024, - "type": "keyword" - }, - "job_title": { - "ignore_above": 1024, - "type": "keyword" - }, - "join_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_name": { + "info": { "ignore_above": 1024, "type": "keyword" }, - "no_of_employees": { - "ignore_above": 1024, - "type": "keyword" + "locked": { + "type": "boolean" }, "org": { - "ignore_above": 1024, - "type": "keyword" - }, - "phone": { - "ignore_above": 1024, - "type": "keyword" - }, - "purchasing_time_frame": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_in_purchase_process": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "zip": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "settings": { - "type": "flattened" - }, - "sub_account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "user": { - "properties": { - "client_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "dept": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "first_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "language": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "personal_notes": { - "ignore_above": 1024, - "type": "keyword" - }, - "phone_country": { - "ignore_above": 1024, - "type": "keyword" - }, - "phone_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "pic_url": { - "ignore_above": 1024, - "type": "keyword" + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "local": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "pmi": { + "org_id": { "ignore_above": 1024, "type": "keyword" }, - "presence_status": { - "ignore_above": 1024, - "type": "keyword" + "orgc": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "local": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } }, - "role": { + "orgc_id": { "ignore_above": 1024, "type": "keyword" }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" + "proposal_email_lock": { + "type": "boolean" }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "publish_timestamp": { + "type": "date" }, - "use_pmi": { + "published": { "type": "boolean" }, - "vanity_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "webinar": { - "properties": { - "agenda": { + "sharing_group_id": { "ignore_above": 1024, "type": "keyword" }, - "duration": { + "threat_level_id": { "type": "long" }, - "host_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "issues": { - "ignore_above": 1024, - "type": "keyword" - }, - "join_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "start_time": { + "timestamp": { "type": "date" }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "topic": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, "uuid": { "ignore_above": 1024, "type": "keyword" } } }, - "zoomroom": { + "otx": { "properties": { - "alert_kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "alert_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "calendar_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "calendar_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "change_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "component": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { + "content": { "ignore_above": 1024, "type": "keyword" }, - "event_id": { + "description": { "ignore_above": 1024, "type": "keyword" }, @@ -25008,15 +783,15 @@ "ignore_above": 1024, "type": "keyword" }, - "issue": { + "indicator": { "ignore_above": 1024, "type": "keyword" }, - "resource_email": { + "title": { "ignore_above": 1024, "type": "keyword" }, - "room_name": { + "type": { "ignore_above": 1024, "type": "keyword" } From 88c6c2d17b79b202cab8dbd103a564e0b42c21aa Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Wed, 24 Mar 2021 11:28:33 +0100 Subject: [PATCH 8/9] fixes typecheck issue --- .../integration/detection_rules/indicator_match_rule.spec.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index 0e605e709c94a..b128af2271e3a 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -6,7 +6,7 @@ */ import { formatMitreAttackDescription } from '../../helpers/rules'; -import { expectedExportedRule, indexPatterns, newThreatIndicatorRule } from '../../objects/rule'; +import { indexPatterns, newThreatIndicatorRule } from '../../objects/rule'; import { ALERT_RULE_METHOD, @@ -16,7 +16,7 @@ import { ALERT_RULE_VERSION, NUMBER_OF_ALERTS, } from '../../screens/alerts'; -import { JSON_CONTENT, JSON_LINES } from '../../screens/alerts_details'; +import { JSON_LINES } from '../../screens/alerts_details'; import { CUSTOM_RULES_BTN, RISK_SCORE, From 9e7968b789c34cfb30d41161831a98995865d2a7 Mon Sep 17 00:00:00 2001 From: Gloria Hornero Date: Wed, 24 Mar 2021 15:10:11 +0100 Subject: [PATCH 9/9] updates tests with latest master changes --- .../detection_rules/indicator_match_rule.spec.ts | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts index b128af2271e3a..e1e78f8e310e1 100644 --- a/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/detection_rules/indicator_match_rule.spec.ts @@ -498,13 +498,13 @@ describe('indicator match', () => { ]; const expectedEnrichment = [ - { line: 31, text: ' "threat": {' }, + { line: 4, text: ' "threat": {' }, { - line: 32, + line: 3, text: ' "indicator": "{\\"first_seen\\":\\"2021-03-10T08:02:14.000Z\\",\\"file\\":{\\"size\\":80280,\\"pe\\":{},\\"type\\":\\"elf\\",\\"hash\\":{\\"sha256\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"tlsh\\":\\"6D7312E017B517CC1371A8353BED205E9128223972AE35302E97528DF957703BAB2DBE\\",\\"ssdeep\\":\\"1536:87vbq1lGAXSEYQjbChaAU2yU23M51DjZgSQAvcYkFtZTjzBht5:8D+CAXFYQChaAUk5ljnQssL\\",\\"md5\\":\\"9b6c3518a91d23ed77504b5416bfb5b3\\"}},\\"type\\":\\"file\\",\\"matched\\":{\\"atomic\\":\\"a04ac6d98ad989312783d4fe3456c53730b212c79a426fb215708b6c6daa3de3\\",\\"field\\":\\"myhash.mysha256\\",\\"id\\":\\"84cf452c1e0375c3d4412cb550bd1783358468a3b3b777da4829d72c7d6fb74f\\",\\"index\\":\\"filebeat-7.12.0-2021.03.10-000001\\",\\"type\\":\\"file\\"}}"', }, - { line: 33, text: ' }' }, + { line: 2, text: ' }' }, ]; before(() => { @@ -542,8 +542,11 @@ describe('indicator match', () => { scrollJsonViewToBottom(); cy.get(JSON_LINES).then((elements) => { + const length = elements.length; expectedEnrichment.forEach((enrichment) => { - cy.wrap(elements).eq(enrichment.line).should('have.text', enrichment.text); + cy.wrap(elements) + .eq(length - enrichment.line) + .should('have.text', enrichment.text); }); }); });