diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b68d4ae..a7dba62b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -55,6 +55,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Restructuring of the repository tooling [(#625)](https://github.com/wazuh/wazuh-indexer-plugins/pull/625) - Fix mdbook to version 0.4.x [(#627)](https://github.com/wazuh/wazuh-indexer-plugins/pull/627) - Adapt WCS generation script to save the ECS flat of stateless module [(#646)](https://github.com/wazuh/wazuh-indexer-plugins/pull/646) +- Replace time-series indices with data streams [(#562)](https://github.com/wazuh/wazuh-indexer-plugins/pull/562) ### Deprecated - diff --git a/docs/ref/modules/setup/index.md b/docs/ref/modules/setup/index.md index 97c191f5..88c00fcf 100644 --- a/docs/ref/modules/setup/index.md +++ b/docs/ref/modules/setup/index.md @@ -3,9 +3,9 @@ The `wazuh-indexer-setup` plugin is a module composing the Wazuh Indexer responsible for the initialization of the indices required by Wazuh to store all the data gathered and generated by other Central Components, such as the agents and the server (engine). The Wazuh Indexer Setup Plugin in responsible for: -- Create the index templates, to define the mappings and settings of the indices. -- Create the initial indices. We distinguish between **stateful** and **stateless** indices. Stateful indices are unique, and its data is update over time (agents' inventory), stateless indices are rotated and static (alerts). -- For stateless indices, it creates the indices aliases and lifecycle policies for rollover. +- Create the index templates, to define the mappings and settings for the indices. +- Create the initial indices. We distinguish between **stateful** and **stream** indices. While stream indices contain immutable time-series data and are rolled over periodically, stateful indices store dynamic data that can change over time and reside in a single index. +- Stream indices are created with a data stream configuration and an ISM rollover policy. ## Indices diff --git a/ecs/generator/generate_schema.sh b/ecs/generator/generate_schema.sh index 59e31b9c..6055f3a0 100755 --- a/ecs/generator/generate_schema.sh +++ b/ecs/generator/generate_schema.sh @@ -53,12 +53,10 @@ function detect_modified_modules() { modified_files=$(git diff --name-only origin/"$BASE_BRANCH") for file in $modified_files; do if [[ $file == ecs/state* && ( $file == *.yml || $file == *.json ) ]]; then - matched=false # Try to match the file to one of the known module keys for exact detection for key in "${!module_to_file[@]}"; do if [[ $file == ecs/$key/* || $file == ecs/$key ]]; then ecs_module="$key" - matched=true break fi done @@ -157,7 +155,7 @@ function copy_files() { echo "---> Index templates" local destination_file local resources_path="plugins/setup/src/main/resources" - local mappings_path="mappings/${ECS_VERSION}/generated/elasticsearch/legacy/template.json" + local mappings_path="mappings/${ECS_VERSION}/generated/elasticsearch/legacy/opensearch-template.json" for ecs_module in "${modules_to_update[@]}"; do # Copying index templates to the initialization plugin resources folder destination_file=${module_to_file[$ecs_module]} diff --git a/ecs/generator/images/generator.sh b/ecs/generator/images/generator.sh index 1ca0ed39..2af62d9a 100755 --- a/ecs/generator/images/generator.sh +++ b/ecs/generator/images/generator.sh @@ -74,14 +74,28 @@ generate_mappings() { fi # Transform legacy index template for OpenSearch compatibility - jq '{ - "index_patterns": .index_patterns, - "priority": .order, - "template": { - "settings": .settings, - "mappings": .mappings - } - }' "$in_file" >"$out_dir/generated/elasticsearch/legacy/opensearch-template.json" + if [[ "$ecs_module" =~ "stateless/" ]]; then + # Transform time-series templates to use data streams + jq '{ + "index_patterns": .index_patterns, + "priority": .order, + "data_stream": {}, + "template": { + "settings": .settings, + "mappings": .mappings + } + }' "$in_file" >"$out_dir/generated/elasticsearch/legacy/opensearch-template.json" + else + # Stateful templates remain unchanged except for the formatting + jq '{ + "index_patterns": .index_patterns, + "priority": .order, + "template": { + "settings": .settings, + "mappings": .mappings + } + }' "$in_file" >"$out_dir/generated/elasticsearch/legacy/opensearch-template.json" + fi echo "Mappings saved to $out_dir" } diff --git a/ecs/stateless/access-management/fields/template-settings-legacy.json b/ecs/stateless/access-management/fields/template-settings-legacy.json index 30b449e1..59196419 100644 --- a/ecs/stateless/access-management/fields/template-settings-legacy.json +++ b/ecs/stateless/access-management/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-access-management-*" + "wazuh-events-v5-access-management*" ], "order": 1, "settings": { diff --git a/ecs/stateless/access-management/fields/template-settings.json b/ecs/stateless/access-management/fields/template-settings.json index d2fb251d..36fd68ed 100644 --- a/ecs/stateless/access-management/fields/template-settings.json +++ b/ecs/stateless/access-management/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-access-management-*" + "wazuh-events-v5-access-management*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-access-management", diff --git a/ecs/stateless/applications/fields/template-settings-legacy.json b/ecs/stateless/applications/fields/template-settings-legacy.json index ebcbf4fb..2acb390c 100644 --- a/ecs/stateless/applications/fields/template-settings-legacy.json +++ b/ecs/stateless/applications/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-applications-*" + "wazuh-events-v5-applications*" ], "order": 1, "settings": { diff --git a/ecs/stateless/applications/fields/template-settings.json b/ecs/stateless/applications/fields/template-settings.json index 2406bfaa..ec63a8fb 100644 --- a/ecs/stateless/applications/fields/template-settings.json +++ b/ecs/stateless/applications/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-applications-*" + "wazuh-events-v5-applications*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-applications", diff --git a/ecs/stateless/cloud-services/aws/fields/template-settings-legacy.json b/ecs/stateless/cloud-services/aws/fields/template-settings-legacy.json index 4871024c..59dc6ad6 100644 --- a/ecs/stateless/cloud-services/aws/fields/template-settings-legacy.json +++ b/ecs/stateless/cloud-services/aws/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-aws-*" + "wazuh-events-v5-cloud-services-aws*" ], "order": 10, "settings": { diff --git a/ecs/stateless/cloud-services/aws/fields/template-settings.json b/ecs/stateless/cloud-services/aws/fields/template-settings.json index 791b6909..b9965ef8 100644 --- a/ecs/stateless/cloud-services/aws/fields/template-settings.json +++ b/ecs/stateless/cloud-services/aws/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-aws-*" + "wazuh-events-v5-cloud-services-aws*" ], "priority": 10, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-aws", diff --git a/ecs/stateless/cloud-services/azure/fields/template-settings-legacy.json b/ecs/stateless/cloud-services/azure/fields/template-settings-legacy.json index 82feaac9..3ac06407 100644 --- a/ecs/stateless/cloud-services/azure/fields/template-settings-legacy.json +++ b/ecs/stateless/cloud-services/azure/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-azure-*" + "wazuh-events-v5-cloud-services-azure*" ], "order": 10, "settings": { diff --git a/ecs/stateless/cloud-services/azure/fields/template-settings.json b/ecs/stateless/cloud-services/azure/fields/template-settings.json index 6d594e9d..d89c779a 100644 --- a/ecs/stateless/cloud-services/azure/fields/template-settings.json +++ b/ecs/stateless/cloud-services/azure/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-azure-*" + "wazuh-events-v5-cloud-services-azure*" ], "priority": 10, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-azure", diff --git a/ecs/stateless/cloud-services/gcp/fields/template-settings-legacy.json b/ecs/stateless/cloud-services/gcp/fields/template-settings-legacy.json index b28e7442..950a032d 100644 --- a/ecs/stateless/cloud-services/gcp/fields/template-settings-legacy.json +++ b/ecs/stateless/cloud-services/gcp/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-gcp-*" + "wazuh-events-v5-cloud-services-gcp*" ], "order": 10, "settings": { diff --git a/ecs/stateless/cloud-services/gcp/fields/template-settings.json b/ecs/stateless/cloud-services/gcp/fields/template-settings.json index 1a1d98cd..a879e203 100644 --- a/ecs/stateless/cloud-services/gcp/fields/template-settings.json +++ b/ecs/stateless/cloud-services/gcp/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-gcp-*" + "wazuh-events-v5-cloud-services-gcp*" ], "priority": 10, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-gcp", diff --git a/ecs/stateless/cloud-services/main/fields/template-settings-legacy.json b/ecs/stateless/cloud-services/main/fields/template-settings-legacy.json index a10ac218..bee5d619 100644 --- a/ecs/stateless/cloud-services/main/fields/template-settings-legacy.json +++ b/ecs/stateless/cloud-services/main/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-*" + "wazuh-events-v5-cloud-services*" ], "order": 1, "settings": { diff --git a/ecs/stateless/cloud-services/main/fields/template-settings.json b/ecs/stateless/cloud-services/main/fields/template-settings.json index 18a94a6e..41a19909 100644 --- a/ecs/stateless/cloud-services/main/fields/template-settings.json +++ b/ecs/stateless/cloud-services/main/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-*" + "wazuh-events-v5-cloud-services*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services", diff --git a/ecs/stateless/main/fields/template-settings-legacy.json b/ecs/stateless/main/fields/template-settings-legacy.json index a838e056..9cacf042 100644 --- a/ecs/stateless/main/fields/template-settings-legacy.json +++ b/ecs/stateless/main/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-alerts-v5-*" + "wazuh-alerts-v5*" ], "order": 1, "settings": { diff --git a/ecs/stateless/main/fields/template-settings.json b/ecs/stateless/main/fields/template-settings.json index 9acd69d5..9826b95d 100644 --- a/ecs/stateless/main/fields/template-settings.json +++ b/ecs/stateless/main/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-alerts-v5-*" + "wazuh-alerts-v5*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-alerts-v5", diff --git a/ecs/stateless/network-activity/fields/template-settings-legacy.json b/ecs/stateless/network-activity/fields/template-settings-legacy.json index b4c796c9..066caa38 100644 --- a/ecs/stateless/network-activity/fields/template-settings-legacy.json +++ b/ecs/stateless/network-activity/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-network-activity-*" + "wazuh-events-v5-network-activity*" ], "order": 1, "settings": { diff --git a/ecs/stateless/network-activity/fields/template-settings.json b/ecs/stateless/network-activity/fields/template-settings.json index 41fd2baa..679bc21a 100644 --- a/ecs/stateless/network-activity/fields/template-settings.json +++ b/ecs/stateless/network-activity/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-network-activity-*" + "wazuh-events-v5-network-activity*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-network-activity", diff --git a/ecs/stateless/other/fields/template-settings-legacy.json b/ecs/stateless/other/fields/template-settings-legacy.json index 140a5a18..e11e2f42 100644 --- a/ecs/stateless/other/fields/template-settings-legacy.json +++ b/ecs/stateless/other/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-other-*" + "wazuh-events-v5-other*" ], "order": 1, "settings": { diff --git a/ecs/stateless/other/fields/template-settings.json b/ecs/stateless/other/fields/template-settings.json index 2a167daa..344a642e 100644 --- a/ecs/stateless/other/fields/template-settings.json +++ b/ecs/stateless/other/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-other-*" + "wazuh-events-v5-other*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-other", diff --git a/ecs/stateless/security/fields/template-settings-legacy.json b/ecs/stateless/security/fields/template-settings-legacy.json index 79aa6e77..cad71e84 100644 --- a/ecs/stateless/security/fields/template-settings-legacy.json +++ b/ecs/stateless/security/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-security-*" + "wazuh-events-v5-security*" ], "order": 1, "settings": { diff --git a/ecs/stateless/security/fields/template-settings.json b/ecs/stateless/security/fields/template-settings.json index 431a741a..dd0c01e6 100644 --- a/ecs/stateless/security/fields/template-settings.json +++ b/ecs/stateless/security/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-security-*" + "wazuh-events-v5-security*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-security", diff --git a/ecs/stateless/system-activity/fields/template-settings-legacy.json b/ecs/stateless/system-activity/fields/template-settings-legacy.json index b9242818..bd426c48 100644 --- a/ecs/stateless/system-activity/fields/template-settings-legacy.json +++ b/ecs/stateless/system-activity/fields/template-settings-legacy.json @@ -1,6 +1,6 @@ { "index_patterns": [ - "wazuh-events-v5-system-activity-*" + "wazuh-events-v5-system-activity*" ], "order": 1, "settings": { diff --git a/ecs/stateless/system-activity/fields/template-settings.json b/ecs/stateless/system-activity/fields/template-settings.json index e123f2f7..dec0e4fb 100644 --- a/ecs/stateless/system-activity/fields/template-settings.json +++ b/ecs/stateless/system-activity/fields/template-settings.json @@ -1,8 +1,9 @@ { "index_patterns": [ - "wazuh-events-v5-system-activity-*" + "wazuh-events-v5-system-activity*" ], "priority": 1, + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-system-activity", diff --git a/ecs/stateless/template/fields/template-settings-legacy.json b/ecs/stateless/template/fields/template-settings-legacy.json index 7ae84569..4dc15a66 100644 --- a/ecs/stateless/template/fields/template-settings-legacy.json +++ b/ecs/stateless/template/fields/template-settings-legacy.json @@ -1,5 +1,5 @@ { - "index_patterns": ["wazuh-events-v5--*"], + "index_patterns": ["wazuh-events-v5-*"], "order": "", "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-", diff --git a/ecs/stateless/template/fields/template-settings.json b/ecs/stateless/template/fields/template-settings.json index 7cf1bea3..029a2abb 100644 --- a/ecs/stateless/template/fields/template-settings.json +++ b/ecs/stateless/template/fields/template-settings.json @@ -1,6 +1,7 @@ { - "index_patterns": ["wazuh-events-v5--*"], + "index_patterns": ["wazuh-events-v5-*"], "priority": "", + "data_stream": {}, "template": { "settings": { "plugins.index_state_management.rollover_alias": "wazuh-events-v5-", diff --git a/plugins/setup/build.gradle b/plugins/setup/build.gradle index 53a909c7..c8a77316 100644 --- a/plugins/setup/build.gradle +++ b/plugins/setup/build.gradle @@ -1,24 +1,25 @@ import org.opensearch.gradle.test.RestIntegTestTask + import java.util.concurrent.Callable buildscript { - ext { - opensearch_version = System.getProperty("opensearch.version", "3.3.2-SNAPSHOT") - opensearch_build = opensearch_version.replace("-SNAPSHOT","") + ".0" - wazuh_version = System.getProperty("version", "5.0.0") - revision = System.getProperty("revision", "0") - } + ext { + opensearch_version = System.getProperty("opensearch.version", "3.3.2-SNAPSHOT") + opensearch_build = opensearch_version.replace("-SNAPSHOT", "") + ".0" + wazuh_version = System.getProperty("version", "5.0.0") + revision = System.getProperty("revision", "0") + } - repositories { - mavenLocal() - maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" } - mavenCentral() - maven { url "https://plugins.gradle.org/m2/" } - } + repositories { + mavenLocal() + maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" } + mavenCentral() + maven { url "https://plugins.gradle.org/m2/" } + } - dependencies { - classpath "org.opensearch.gradle:build-tools:${opensearch_version}" - } + dependencies { + classpath "org.opensearch.gradle:build-tools:${opensearch_version}" + } } apply plugin: 'java' @@ -37,56 +38,61 @@ def pathToPlugin = 'setup' def pluginClassName = 'SetupPlugin' publishing { - publications { - pluginZip(MavenPublication) { publication -> - pom { - name = pluginName - description = pluginDescription - licenses { - license { - name = "GNU Affero General Public License (AGPL) version 3.0" - url = "http://www.gnu.org/licenses/agpl-3.0.txt" - } - } - developers { - developer { - name = "Wazuh" - url = "https://wazuh.com" - } - } - } + publications { + pluginZip(MavenPublication) { publication -> + pom { + name = pluginName + description = pluginDescription + licenses { + license { + name = "GNU Affero General Public License (AGPL) version 3.0" + url = "http://www.gnu.org/licenses/agpl-3.0.txt" + } } + developers { + developer { + name = "Wazuh" + url = "https://wazuh.com" + } + } + } } + } } allprojects { - group = "${projectPath}" - version = "${wazuh_version}" + ".${revision}" - targetCompatibility = JavaVersion.VERSION_21 - sourceCompatibility = JavaVersion.VERSION_21 + group = "${projectPath}" + version = "${wazuh_version}" + ".${revision}" + targetCompatibility = JavaVersion.VERSION_21 + sourceCompatibility = JavaVersion.VERSION_21 } opensearchplugin { - name pluginName - description pluginDescription - classname "${projectPath}.${pathToPlugin}.${pluginClassName}" - extendedPlugins = ['opensearch-index-management'] - licenseFile rootProject.file('LICENSE.txt') - noticeFile rootProject.file('NOTICE.txt') + name pluginName + description pluginDescription + classname "${projectPath}.${pathToPlugin}.${pluginClassName}" + extendedPlugins = ['opensearch-index-management'] + licenseFile rootProject.file('LICENSE.txt') + noticeFile rootProject.file('NOTICE.txt') } configurations { - zipArchive + zipArchive } dependencies { - implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.25.2" - implementation "org.slf4j:slf4j-api:2.0.17" + implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.25.2" + implementation "org.slf4j:slf4j-api:2.0.17" - // Job Scheduler & ISM stuff (required for the initialization of ISM policies) - zipArchive group: 'org.opensearch.plugin', name: 'opensearch-job-scheduler', version: opensearch_build - zipArchive group: 'org.opensearch.plugin', name: 'opensearch-index-management', version: opensearch_build - compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}" + // Use Jackson provided by OpenSearch (2.18.2) - only for compile time + compileOnly 'com.fasterxml.jackson.core:jackson-core:2.18.2' + implementation 'com.fasterxml.jackson.core:jackson-databind:2.18.2' + implementation 'com.fasterxml.jackson.core:jackson-annotations:2.18.2' + + // Job Scheduler & ISM stuff (required for the initialization of ISM policies) + zipArchive group: 'org.opensearch.plugin', name: 'opensearch-job-scheduler', version: opensearch_build + zipArchive group: 'org.opensearch.plugin', name: 'opensearch-index-management', version: opensearch_build + compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}" } // No need to validate license headers since spotless checks and applies it @@ -102,30 +108,30 @@ validateNebulaPom.enabled = false dependencyLicenses.enabled = false repositories { - mavenLocal() - maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" } - mavenCentral() - maven { url "https://plugins.gradle.org/m2/" } + mavenLocal() + maven { url "https://ci.opensearch.org/ci/dbc/snapshots/maven/" } + mavenCentral() + maven { url "https://plugins.gradle.org/m2/" } } test { - include '**/*Tests.class' + include '**/*Tests.class' } def getPlugin(pluginName) { - provider(new Callable() { + provider(new Callable() { + @Override + RegularFile call() throws Exception { + return new RegularFile() { @Override - RegularFile call() throws Exception { - return new RegularFile() { - @Override - File getAsFile() { - return configurations.zipArchive.asFileTree.matching { - include String.format("**/%s*", pluginName) - }.singleFile - } - } + File getAsFile() { + return configurations.zipArchive.asFileTree.matching { + include String.format("**/%s*", pluginName) + }.singleFile } - }) + } + } + }) } task integTest(type: RestIntegTestTask) { @@ -136,40 +142,54 @@ task integTest(type: RestIntegTestTask) { tasks.named("check").configure { dependsOn(integTest) } integTest { - // The --debug-jvm command-line option makes the cluster debuggable; this makes the tests debuggable - if (System.getProperty("test.debug") != null) { - jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005' - } + // The --debug-jvm command-line option makes the cluster debuggable; this makes the tests debuggable + if (System.getProperty("test.debug") != null) { + jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005' + } } - -testClusters.integTest { +testClusters { + integTest { plugin(getPlugin("opensearch-job-scheduler")) plugin(getPlugin("opensearch-index-management")) testDistribution = "INTEG_TEST" + // This installs our plugin into the testClusters plugin(project.tasks.bundlePlugin.archiveFile) // The --debug-jvm command-line option makes the cluster debuggable; this makes the tests debuggable if (System.getProperty("cluster.debug") != null) { - jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005' + jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005' } + } + + runCluster { + plugin(getPlugin("opensearch-job-scheduler")) + plugin(getPlugin("opensearch-index-management")) + + testDistribution = "ARCHIVE" + + plugin(project.tasks.bundlePlugin.archiveFile) + + if (System.getProperty("run.cluster.debug") != null) { + jvmArgs '-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=*:5005' + } + } } run { - useCluster testClusters.integTest + useCluster testClusters.runCluster } // updateVersion: Task to auto update version to the next development iteration task updateVersion { - onlyIf { System.getProperty('newVersion') } - doLast { - ext.newVersion = System.getProperty('newVersion') - println "Setting version to ${newVersion}." - // String tokenization to support -SNAPSHOT - ant.replaceregexp(file: 'build.gradle', match: '"opensearch.version", "\\d.*"', replace: '"opensearch.version", "' + newVersion.tokenize('-')[0] + '-SNAPSHOT"', flags: 'g', byline: true) - } + onlyIf { System.getProperty('newVersion') } + doLast { + ext.newVersion = System.getProperty('newVersion') + println "Setting version to ${newVersion}." + // String tokenization to support -SNAPSHOT + ant.replaceregexp(file: 'build.gradle', match: '"opensearch.version", "\\d.*"', replace: '"opensearch.version", "' + newVersion.tokenize('-')[0] + '-SNAPSHOT"', flags: 'g', byline: true) + } } - diff --git a/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java b/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java index 38ebb08c..a942ad5c 100644 --- a/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java +++ b/plugins/setup/src/main/java/com/wazuh/setup/SetupPlugin.java @@ -43,7 +43,7 @@ import com.wazuh.setup.index.IndexStateManagement; import com.wazuh.setup.index.StateIndex; import com.wazuh.setup.index.StreamIndex; import com.wazuh.setup.settings.PluginSettings; -import com.wazuh.setup.utils.IndexUtils; +import com.wazuh.setup.utils.JsonUtils; /** * Main class of the Indexer Setup plugin. This plugin is responsible for the creation of the index @@ -87,14 +87,13 @@ public class SetupPlugin extends Plugin implements ClusterPlugin { // ISM index this.indices.add(new IndexStateManagement(IndexStateManagement.ISM_INDEX_NAME, "templates/ism-config")); // Stream indices - this.indices.add(new StreamIndex("wazuh-alerts-v5-000001", "templates/streams/alerts", "wazuh-alerts-v5")); - this.indices.add(new StreamIndex("wazuh-archives-v5-000001", "templates/streams/archives", "wazuh-archives-v5")); + this.indices.add(new StreamIndex("wazuh-alerts-v5", "templates/streams/alerts")); + this.indices.add(new StreamIndex("wazuh-archives-v5", "templates/streams/archives")); // Decoder indices for (String category : this.categories) { this.indices.add(new StreamIndex( - "wazuh-events-v5-" + category + "-000001", - "templates/streams/" + category, - "wazuh-events-v5-" + category + "wazuh-events-v5-" + category, + "templates/streams/" + category )); } @@ -122,12 +121,12 @@ public class SetupPlugin extends Plugin implements ClusterPlugin { // spotless:on // Inject dependencies - IndexUtils utils = new IndexUtils(); + JsonUtils utils = new JsonUtils(); this.indices.forEach( index -> { index.setClient(client); index.setClusterService(clusterService); - index.setIndexUtils(utils); + index.setUtils(utils); }); return Collections.emptyList(); diff --git a/plugins/setup/src/main/java/com/wazuh/setup/index/Index.java b/plugins/setup/src/main/java/com/wazuh/setup/index/Index.java index b90cb726..59b957ca 100644 --- a/plugins/setup/src/main/java/com/wazuh/setup/index/Index.java +++ b/plugins/setup/src/main/java/com/wazuh/setup/index/Index.java @@ -16,22 +16,26 @@ */ package com.wazuh.setup.index; +import com.fasterxml.jackson.databind.ObjectMapper; + import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.ResourceAlreadyExistsException; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; -import org.opensearch.action.admin.indices.template.put.PutIndexTemplateRequest; -import org.opensearch.action.support.clustermanager.AcknowledgedResponse; +import org.opensearch.action.admin.indices.template.put.PutComposableIndexTemplateAction; +import org.opensearch.cluster.metadata.ComposableIndexTemplate; import org.opensearch.cluster.service.ClusterService; +import org.opensearch.common.compress.CompressedXContent; +import org.opensearch.common.settings.Settings; import org.opensearch.transport.client.Client; import java.io.IOException; -import java.util.List; -import java.util.Map; +import java.io.InputStream; +import com.wazuh.setup.model.IndexTemplate; import com.wazuh.setup.settings.PluginSettings; -import com.wazuh.setup.utils.IndexUtils; +import com.wazuh.setup.utils.JsonUtils; /** * Abstract class with the required logic to create indices. In our context, an index always require @@ -45,7 +49,7 @@ public abstract class Index implements IndexInitializer { // Dependencies. Client client; ClusterService clusterService; - IndexUtils indexUtils; + JsonUtils jsonUtils; // Properties. String index; @@ -87,12 +91,12 @@ public abstract class Index implements IndexInitializer { } /** - * Sets the IndexUtils instance. + * Sets the JsonUtils instance. * - * @param indexUtils the IndexUtils instance to set. + * @param jsonUtils the JsonUtils instance to set. */ - public void setIndexUtils(IndexUtils indexUtils) { - this.indexUtils = indexUtils; + public void setUtils(JsonUtils jsonUtils) { + this.jsonUtils = jsonUtils; } /** @@ -137,42 +141,45 @@ public abstract class Index implements IndexInitializer { } log.warn("Operation to create the index [{}] timed out. Retrying...", index); this.retry_index_creation = false; - this.indexUtils.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); + this.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); this.createIndex(index); } } /** - * Creates an index template. + * Creates an index template (v2). * * @param template name of the index template to create. */ public void createTemplate(String template) { try { - Map templateFile = this.indexUtils.fromFile(template + ".json"); + // Read JSON index template + ObjectMapper mapper = new ObjectMapper(); + InputStream is = this.getClass().getClassLoader().getResourceAsStream(template + ".json"); + IndexTemplate indexTemplate = mapper.readValue(is, IndexTemplate.class); - PutIndexTemplateRequest putIndexTemplateRequest = - new PutIndexTemplateRequest() - .mapping(this.indexUtils.get(templateFile, "mappings")) - .settings(this.indexUtils.get(templateFile, "settings")) - .order((int) templateFile.getOrDefault("order", 0)) - .name(template) - .patterns((List) templateFile.get("index_patterns")); + // Create a V2 template (ComposableIndexTemplate) + String indexMappings = mapper.writeValueAsString(indexTemplate.getMappings()); + CompressedXContent compressedMapping = new CompressedXContent(indexMappings); + Settings settings = Settings.builder().loadFromMap(indexTemplate.getSettings()).build(); + ComposableIndexTemplate composableTemplate = + indexTemplate.getComposableIndexTemplate(settings, compressedMapping); - AcknowledgedResponse createIndexTemplateResponse = - this.client - .admin() - .indices() - .putTemplate(putIndexTemplateRequest) - .actionGet(PluginSettings.getTimeout(this.clusterService.getSettings())); - - log.info( - "Index template created successfully: {} {}", - template, - createIndexTemplateResponse.isAcknowledged()); + // Use the V2 API to put the template + PutComposableIndexTemplateAction.Request request = + new PutComposableIndexTemplateAction.Request(template) + .indexTemplate(composableTemplate) + .create(false); + // Put index template + this.client + .execute(PutComposableIndexTemplateAction.INSTANCE, request) + .actionGet(PluginSettings.getTimeout(this.clusterService.getSettings())); } catch (IOException e) { - log.error("Error reading index template from filesystem {}", template); + log.error( + "Error reading index template from filesystem [{}]. Caused by: {}", + template, + e.toString()); } catch (ResourceAlreadyExistsException e) { log.info("Index template {} already exists. Skipping.", template); } catch ( @@ -188,7 +195,7 @@ public abstract class Index implements IndexInitializer { } log.warn("Operation to create the index template [{}] timed out. Retrying...", template); this.retry_template_creation = false; - this.indexUtils.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); + this.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); this.createTemplate(template); } } @@ -201,4 +208,17 @@ public abstract class Index implements IndexInitializer { this.createTemplate(this.template); this.createIndex(this.index); } + + /** + * Utility method to wrap up the call to {@link Thread#sleep(long)} on a try-catch block. + * + * @param millis sleep interval in milliseconds. + */ + void sleep(long millis) { + try { + Thread.sleep(millis); + } catch (InterruptedException ex) { + throw new RuntimeException(ex); + } + } } diff --git a/plugins/setup/src/main/java/com/wazuh/setup/index/IndexStateManagement.java b/plugins/setup/src/main/java/com/wazuh/setup/index/IndexStateManagement.java index e776ecef..abfc646f 100644 --- a/plugins/setup/src/main/java/com/wazuh/setup/index/IndexStateManagement.java +++ b/plugins/setup/src/main/java/com/wazuh/setup/index/IndexStateManagement.java @@ -16,6 +16,8 @@ */ package com.wazuh.setup.index; +import com.fasterxml.jackson.databind.ObjectMapper; + import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.ResourceAlreadyExistsException; @@ -25,10 +27,12 @@ import org.opensearch.action.index.IndexRequest; import org.opensearch.core.xcontent.MediaTypeRegistry; import java.io.IOException; +import java.io.InputStream; import java.util.ArrayList; import java.util.List; import java.util.Map; +import com.wazuh.setup.model.IndexTemplate; import com.wazuh.setup.settings.PluginSettings; /** @@ -38,7 +42,7 @@ import com.wazuh.setup.settings.PluginSettings; public class IndexStateManagement extends Index { private static final Logger log = LogManager.getLogger(IndexStateManagement.class); - // ISM index name + /** ISM index name */ public static final String ISM_INDEX_NAME = ".opendistro-ism-config"; // ISM policies names (filename without extension) @@ -74,10 +78,11 @@ public class IndexStateManagement extends Index { * * @param policy policy name to create. */ - private void indexPolicy(String policy) { + void indexPolicy(String policy) { try { Map policyFile; - policyFile = this.indexUtils.fromFile(STREAM_ROLLOVER_POLICY_PATH); + + policyFile = this.jsonUtils.fromFile(STREAM_ROLLOVER_POLICY_PATH); IndexRequest indexRequest = new IndexRequest(this.index) @@ -102,7 +107,7 @@ public class IndexStateManagement extends Index { } log.warn("Operation to create the policy [{}] timed out. Retrying...", policy); this.retry_index_creation = false; - this.indexUtils.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); + this.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); this.indexPolicy(policy); } } @@ -119,12 +124,16 @@ public class IndexStateManagement extends Index { // For some reason the index template is not applied to the ISM internal index // ".opendistro-ism-config", so we explicitly set the index mappings and settings // as part of the CreateIndexRequest. - Map templateFile = this.indexUtils.fromFile(this.template + ".json"); + // Read JSON index template + ObjectMapper mapper = new ObjectMapper(); + InputStream is = + this.getClass().getClassLoader().getResourceAsStream(this.template + ".json"); + IndexTemplate indexTemplate = mapper.readValue(is, IndexTemplate.class); CreateIndexRequest request = new CreateIndexRequest(index) - .mapping(this.indexUtils.get(templateFile, "mappings")) - .settings(this.indexUtils.get(templateFile, "settings")); + .mapping(indexTemplate.getMappings()) + .settings(indexTemplate.getSettings()); CreateIndexResponse createIndexResponse = this.client .admin() @@ -136,10 +145,13 @@ public class IndexStateManagement extends Index { createIndexResponse.index(), createIndexResponse.isAcknowledged()); } - } catch (IOException e) { - log.error("Error reading index template from filesystem {}", this.template); } catch (ResourceAlreadyExistsException e) { log.info("Index {} already exists. Skipping.", index); + } catch (IOException e) { + log.error( + "Error reading index template from filesystem [{}]. Caused by: {}", + this.template, + e.toString()); } catch ( Exception e) { // TimeoutException may be raised by actionGet(), but we cannot catch that one. @@ -150,7 +162,7 @@ public class IndexStateManagement extends Index { } log.warn("Operation to create the index [{}] timed out. Retrying...", index); this.retry_index_creation = false; - this.indexUtils.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); + this.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); this.createIndex(index); } } diff --git a/plugins/setup/src/main/java/com/wazuh/setup/index/StreamIndex.java b/plugins/setup/src/main/java/com/wazuh/setup/index/StreamIndex.java index 9283f8f0..45680bf1 100644 --- a/plugins/setup/src/main/java/com/wazuh/setup/index/StreamIndex.java +++ b/plugins/setup/src/main/java/com/wazuh/setup/index/StreamIndex.java @@ -19,9 +19,8 @@ package com.wazuh.setup.index; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.opensearch.ResourceAlreadyExistsException; -import org.opensearch.action.admin.indices.alias.Alias; -import org.opensearch.action.admin.indices.create.CreateIndexRequest; -import org.opensearch.action.admin.indices.create.CreateIndexResponse; +import org.opensearch.action.admin.indices.datastream.CreateDataStreamAction; +import org.opensearch.action.support.clustermanager.AcknowledgedResponse; import com.wazuh.setup.settings.PluginSettings; @@ -32,58 +31,58 @@ import com.wazuh.setup.settings.PluginSettings; public class StreamIndex extends WazuhIndex { private static final Logger log = LogManager.getLogger(StreamIndex.class); - private final String alias; - /** * Constructor. * * @param index index name. * @param template index template name. - * @param alias index alias name for advanced management such as automatic rollover. */ - public StreamIndex(String index, String template, String alias) { + public StreamIndex(String index, String template) { super(index, template); - this.alias = alias; } /** - * Overrides {@link Index#createIndex(String)} to include the {@link #alias} to the index creation - * request. + * Overrides {@link Index#createIndex(String)} to create a Data Stream instead. * - * @param index Name of the index to create. - * @see Alias + * @param index Name of the data stream to create. */ @Override public void createIndex(String index) { try { - if (!this.indexExists(index)) { - CreateIndexRequest request = - new CreateIndexRequest(index).alias(new Alias(this.alias).writeIndex(true)); - CreateIndexResponse createIndexResponse = - this.client - .admin() - .indices() - .create(request) - .actionGet(PluginSettings.getTimeout(this.clusterService.getSettings())); - log.info( - "Index created successfully: {} {}", - createIndexResponse.index(), - createIndexResponse.isAcknowledged()); - } + this.createDataStream(index); } catch (ResourceAlreadyExistsException e) { - log.info("Index {} already exists. Skipping.", index); - } catch ( - Exception - e) { // TimeoutException may be raised by actionGet(), but we cannot catch that one. - // Exit condition. Re-attempt to create the index also failed. Original exception is rethrown. + log.info("Data stream {} already exists. Skipping.", index); + } catch (Exception e) { + // TimeoutException may be raised by actionGet(), but we cannot catch that one. + // Exit condition. Re-attempt to create the data stream also failed. Original exception is + // rethrown. if (!this.retry_index_creation) { - log.error("Initialization of index [{}] finally failed. The node will shut down.", index); + log.error( + "Initialization of data stream [{}] finally failed. The node will shut down.", index); throw e; } - log.warn("Operation to create the index [{}] timed out. Retrying...", index); + log.warn("Operation to create the data stream [{}] timed out. Retrying...", index); this.retry_index_creation = false; - this.indexUtils.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); + this.sleep(PluginSettings.getBackoff(this.clusterService.getSettings())); this.createIndex(index); } } + + /** + * Creates a Data Stream. + * + * @param name name of the data stream to create. + */ + public void createDataStream(String name) { + CreateDataStreamAction.Request request = new CreateDataStreamAction.Request(name); + + AcknowledgedResponse response = + this.client + .admin() + .indices() + .createDataStream(request) + .actionGet(PluginSettings.getTimeout(this.clusterService.getSettings())); + + log.info("Data Stream created successfully: {} {}", name, response.isAcknowledged()); + } } diff --git a/plugins/setup/src/main/java/com/wazuh/setup/model/IndexTemplate.java b/plugins/setup/src/main/java/com/wazuh/setup/model/IndexTemplate.java new file mode 100644 index 00000000..3bd5ecd4 --- /dev/null +++ b/plugins/setup/src/main/java/com/wazuh/setup/model/IndexTemplate.java @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2024, Wazuh Inc. + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU Affero General Public License as + * published by the Free Software Foundation, either version 3 of the + * License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Affero General Public License for more details. + * + * You should have received a copy of the GNU Affero General Public License + * along with this program. If not, see . + */ +package com.wazuh.setup.model; + +import com.fasterxml.jackson.annotation.JsonProperty; + +import org.opensearch.cluster.metadata.ComposableIndexTemplate; +import org.opensearch.cluster.metadata.Template; +import org.opensearch.common.compress.CompressedXContent; +import org.opensearch.common.settings.Settings; + +import java.util.List; +import java.util.Map; + +/** + * Index Template Data Transfer Object. + * + *

Fill-in values automatically using Jackson Databind. + */ +public class IndexTemplate { + + /** Default constructor */ + public IndexTemplate() {} + + @JsonProperty("index_patterns") + private List indexPatterns; + + private long priority; + private Map settings; + private Map mappings; + + @JsonProperty("data_stream") + private Map dataStream; + + @SuppressWarnings("unchecked") + @JsonProperty("template") + private void unpackNested(Map template) { + this.settings = (Map) template.get("settings"); + this.mappings = (Map) template.get("mappings"); + } + + /** + * Index pattern getter. + * + * @return returns the list of index patters this index template applies to, or null. + */ + public List getIndexPatterns() { + return this.indexPatterns; + } + + /** + * Index template priority getter. + * + * @return returns the priority of the index template, or null. + */ + public long getPriority() { + return this.priority; + } + + /** + * Index settings getter. + * + * @return returns the index settings to apply to indices matching the index pattern, or null. + */ + public Map getSettings() { + return this.settings; + } + + /** + * Index mappings getter. + * + * @return returns the index mappings for the indices matching the index pattern, or null. + */ + public Map getMappings() { + return this.mappings; + } + + /** + * Data Stream getter. + * + * @return returns the "data_stream" property of the index template, or null. + */ + public Map getDataStream() { + return this.dataStream; + } + + /** + * Builds up a ComposableIndexTemplate resulting from the properties of the index template. + * + * @param settings index template settings as a string. + * @param compressedMapping index template mappings a CompressedXContent instance. + * @return instance of ComposableIndexTemplate. + */ + public ComposableIndexTemplate getComposableIndexTemplate( + Settings settings, CompressedXContent compressedMapping) { + ComposableIndexTemplate.DataStreamTemplate dataStreamTemplate = + this.getDataStream() != null ? new ComposableIndexTemplate.DataStreamTemplate() : null; + + // Create the composable template + return new ComposableIndexTemplate( + this.getIndexPatterns(), + new Template(settings, compressedMapping, null), + null, + this.getPriority(), + null, + null, + dataStreamTemplate); + } +} diff --git a/plugins/setup/src/main/java/com/wazuh/setup/utils/IndexUtils.java b/plugins/setup/src/main/java/com/wazuh/setup/utils/JsonUtils.java similarity index 53% rename from plugins/setup/src/main/java/com/wazuh/setup/utils/IndexUtils.java rename to plugins/setup/src/main/java/com/wazuh/setup/utils/JsonUtils.java index c322bb61..56d4144a 100644 --- a/plugins/setup/src/main/java/com/wazuh/setup/utils/IndexUtils.java +++ b/plugins/setup/src/main/java/com/wazuh/setup/utils/JsonUtils.java @@ -27,35 +27,24 @@ import java.util.Map; import reactor.util.annotation.NonNull; -/** Util functions to parse and manage index templates files. */ -public class IndexUtils { +/** Util functions to parse and manage JSON files. */ +public class JsonUtils { /** Default constructor */ - public IndexUtils() {} + public JsonUtils() {} /** - * Read index template file from the resources folder and returns its JSON content as a map. + * Read JSON file from the resources folder and returns its JSON content as a map. * - * @param filename name of the index template to read from the resources folder - * @return the JSON index template as a map + * @param filename name of the JSON file to read from the resources folder + * @return the JSON file as a map * @throws IOException file not found or could not be read + * @deprecated Use jackson's ObjectMapper instead. */ + @Deprecated public Map fromFile(@NonNull String filename) throws IOException { - InputStream is = IndexUtils.class.getClassLoader().getResourceAsStream(filename); - return this.toMap(is); - } + InputStream is = JsonUtils.class.getClassLoader().getResourceAsStream(filename); - /** - * Convert from a JSON InputStream into a String, Object map. - * - *

Used to convert the JSON index templates to the required format. - * - * @param is: the JSON formatted InputStream - * @return a map with the json string contents. - * @throws IOException thrown by {@link JsonXContent#createParser(NamedXContentRegistry, - * DeprecationHandler, InputStream)} - */ - public Map toMap(InputStream is) throws IOException { XContentParser parser = JsonXContent.jsonXContent.createParser( NamedXContentRegistry.EMPTY, DeprecationHandler.THROW_UNSUPPORTED_OPERATION, is); @@ -64,29 +53,14 @@ public class IndexUtils { } /** - * Cast map's element to a String, Object map. + * Return JSON node by key. * - *

Used to retrieve the settings and mappings from the index templates, which are a JSON object - * themselves. - * - * @param map the index template as a map. + * @param map the parent JSON node where the key to retrieve is. * @param key the element's key to retrieve and cast. * @return a String, Object map */ + @SuppressWarnings("unchecked") public Map get(Map map, String key) { return (Map) map.get(key); } - - /** - * Utility method to wrap up the call to {@link Thread#sleep(long)} on a try-catch block. - * - * @param millis sleep interval in milliseconds. - */ - public void sleep(long millis) { - try { - Thread.sleep(millis); - } catch (InterruptedException ex) { - throw new RuntimeException(ex); - } - } } diff --git a/plugins/setup/src/main/resources/templates/ism-config.json b/plugins/setup/src/main/resources/templates/ism-config.json index 6ba493fb..0b3224e8 100644 --- a/plugins/setup/src/main/resources/templates/ism-config.json +++ b/plugins/setup/src/main/resources/templates/ism-config.json @@ -2,451 +2,462 @@ "index_patterns": [ ".opendistro-ism-config" ], - "mappings": { - "dynamic": "strict", - "properties": { - "policy": { - "properties": { - "policy_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "refresh_interval": "5s", + "hidden": true + } + }, + "mappings": { + "dynamic": "strict", + "properties": { + "policy": { + "properties": { + "policy_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "description": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "description": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "schema_version": { - "type": "long" - }, - "last_updated_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "error_notification": { - "properties": { - "destination": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "schema_version": { + "type": "long" + }, + "last_updated_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "error_notification": { + "properties": { + "destination": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "type": { - "type": "keyword" - }, - "last_update_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "chime": { - "properties": { - "url": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "type": { + "type": "keyword" + }, + "last_update_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "chime": { + "properties": { + "url": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } } } - } - }, - "slack": { - "properties": { - "url": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "slack": { + "properties": { + "url": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } } } - } - }, - "custom_webhook": { - "properties": { - "url": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "custom_webhook": { + "properties": { + "url": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } + }, + "scheme": { + "type": "keyword" + }, + "host": { + "type": "text" + }, + "port": { + "type": "integer" + }, + "path": { + "type": "keyword" + }, + "query_params": { + "type": "object", + "enabled": false + }, + "header_params": { + "type": "object", + "enabled": false + }, + "username": { + "type": "text" + }, + "password": { + "type": "text" } - }, - "scheme": { - "type": "keyword" - }, - "host": { - "type": "text" - }, - "port": { - "type": "integer" - }, - "path": { - "type": "keyword" - }, - "query_params": { - "type": "object", - "enabled": false - }, - "header_params": { - "type": "object", - "enabled": false - }, - "username": { - "type": "text" - }, - "password": { - "type": "text" } } } - } - }, - "channel": { - "properties": { - "id": { - "type": "keyword" + }, + "channel": { + "properties": { + "id": { + "type": "keyword" + } } + }, + "message_template": { + "type": "object", + "enabled": false } - }, - "message_template": { - "type": "object", - "enabled": false } - } - }, - "default_state": { - "type": "keyword" - }, - "states": { - "type": "nested", - "properties": { - "name": { - "type": "keyword" - }, - "actions": { - "type": "nested", - "properties": { - "timeout": { - "type": "keyword" - }, - "retry": { - "properties": { - "count": { - "type": "integer" - }, - "backoff": { - "type": "keyword" - }, - "delay": { - "type": "keyword" + }, + "default_state": { + "type": "keyword" + }, + "states": { + "type": "nested", + "properties": { + "name": { + "type": "keyword" + }, + "actions": { + "type": "nested", + "properties": { + "timeout": { + "type": "keyword" + }, + "retry": { + "properties": { + "count": { + "type": "integer" + }, + "backoff": { + "type": "keyword" + }, + "delay": { + "type": "keyword" + } } - } - }, - "alias": { - "properties": { - "actions": { - "type": "object", - "enabled": false + }, + "alias": { + "properties": { + "actions": { + "type": "object", + "enabled": false + } } - } - }, - "delete": { - "type": "object" - }, - "force_merge": { - "properties": { - "max_num_segments": { - "type": "integer" + }, + "delete": { + "type": "object" + }, + "force_merge": { + "properties": { + "max_num_segments": { + "type": "integer" + } } - } - }, - "read_only": { - "type": "object" - }, - "read_write": { - "type": "object" - }, - "replica_count": { - "properties": { - "number_of_replicas": { - "type": "integer" + }, + "read_only": { + "type": "object" + }, + "read_write": { + "type": "object" + }, + "replica_count": { + "properties": { + "number_of_replicas": { + "type": "integer" + } } - } - }, - "index_priority": { - "properties": { - "priority": { - "type": "integer" + }, + "index_priority": { + "properties": { + "priority": { + "type": "integer" + } } - } - }, - "close": { - "type": "object" - }, - "open": { - "type": "object" - }, - "snapshot": { - "properties": { - "repository": { - "type": "keyword" - }, - "snapshot": { - "type": "keyword" - }, - "include_global_state": { - "type": "boolean" + }, + "close": { + "type": "object" + }, + "open": { + "type": "object" + }, + "snapshot": { + "properties": { + "repository": { + "type": "keyword" + }, + "snapshot": { + "type": "keyword" + }, + "include_global_state": { + "type": "boolean" + } } - } - }, - "rollover": { - "properties": { - "min_size": { - "type": "keyword" - }, - "min_index_age": { - "type": "keyword" - }, - "min_doc_count": { - "type": "keyword" - }, - "min_primary_shard_size": { - "type": "keyword" - }, - "copy_alias": { - "type": "boolean" + }, + "rollover": { + "properties": { + "min_size": { + "type": "keyword" + }, + "min_index_age": { + "type": "keyword" + }, + "min_doc_count": { + "type": "keyword" + }, + "min_primary_shard_size": { + "type": "keyword" + }, + "copy_alias": { + "type": "boolean" + } } - } - }, - "notification": { - "properties": { - "destination": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "notification": { + "properties": { + "destination": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "type": { - "type": "keyword" - }, - "last_update_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "chime": { - "properties": { - "url": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "type": { + "type": "keyword" + }, + "last_update_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "chime": { + "properties": { + "url": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } } } - } - }, - "slack": { - "properties": { - "url": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "slack": { + "properties": { + "url": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } } } - } - }, - "custom_webhook": { - "properties": { - "url": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "custom_webhook": { + "properties": { + "url": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } + }, + "scheme": { + "type": "keyword" + }, + "host": { + "type": "text" + }, + "port": { + "type": "integer" + }, + "path": { + "type": "keyword" + }, + "query_params": { + "type": "object", + "enabled": false + }, + "header_params": { + "type": "object", + "enabled": false + }, + "username": { + "type": "text" + }, + "password": { + "type": "text" } - }, - "scheme": { - "type": "keyword" - }, - "host": { - "type": "text" - }, - "port": { - "type": "integer" - }, - "path": { - "type": "keyword" - }, - "query_params": { - "type": "object", - "enabled": false - }, - "header_params": { - "type": "object", - "enabled": false - }, - "username": { - "type": "text" - }, - "password": { - "type": "text" } } } - } - }, - "channel": { - "properties": { - "id": { - "type": "keyword" + }, + "channel": { + "properties": { + "id": { + "type": "keyword" + } } + }, + "message_template": { + "type": "object", + "enabled": false } - }, - "message_template": { - "type": "object", - "enabled": false } - } - }, - "allocation": { - "properties": { - "require": { - "type": "object", - "enabled": false - }, - "include": { - "type": "object", - "enabled": false - }, - "exclude": { - "type": "object", - "enabled": false - }, - "wait_for": { - "type": "boolean" + }, + "allocation": { + "properties": { + "require": { + "type": "object", + "enabled": false + }, + "include": { + "type": "object", + "enabled": false + }, + "exclude": { + "type": "object", + "enabled": false + }, + "wait_for": { + "type": "boolean" + } } - } - }, - "rollup": { - "properties": { - "ism_rollup": { - "properties": { - "description": { - "type": "text" - }, - "target_index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "rollup": { + "properties": { + "ism_rollup": { + "properties": { + "description": { + "type": "text" + }, + "target_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "page_size": { - "type": "long" - }, - "dimensions": { - "type": "nested", - "properties": { - "date_histogram": { - "properties": { - "fixed_interval": { - "type": "keyword" - }, - "calendar_interval": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" + }, + "page_size": { + "type": "long" + }, + "dimensions": { + "type": "nested", + "properties": { + "date_histogram": { + "properties": { + "fixed_interval": { + "type": "keyword" + }, + "calendar_interval": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + } } - } - }, - "terms": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" + }, + "terms": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + } } - } - }, - "histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "interval": { - "type": "double" + }, + "histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "interval": { + "type": "double" + } } } } - } - }, - "metrics": { - "type": "nested", - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "metrics": { - "type": "nested", - "properties": { - "avg": { - "type": "object" - }, - "sum": { - "type": "object" - }, - "max": { - "type": "object" - }, - "min": { - "type": "object" - }, - "value_count": { - "type": "object" + }, + "metrics": { + "type": "nested", + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "metrics": { + "type": "nested", + "properties": { + "avg": { + "type": "object" + }, + "sum": { + "type": "object" + }, + "max": { + "type": "object" + }, + "min": { + "type": "object" + }, + "value_count": { + "type": "object" + } } } } @@ -454,1243 +465,1243 @@ } } } - } - }, - "transform": { - "properties": { - "ism_transform": { - "properties": { - "description": { - "type": "text" - }, - "target_index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "transform": { + "properties": { + "ism_transform": { + "properties": { + "description": { + "type": "text" + }, + "target_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "page_size": { - "type": "long" - }, - "data_selection_query": { - "type": "object", - "enabled": false - }, - "groups": { - "properties": { - "date_histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "fixed_interval": { - "type": "keyword" - }, - "calendar_interval": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" + }, + "page_size": { + "type": "long" + }, + "data_selection_query": { + "type": "object", + "enabled": false + }, + "groups": { + "properties": { + "date_histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "fixed_interval": { + "type": "keyword" + }, + "calendar_interval": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } } - } - }, - "terms": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" + }, + "terms": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + } } - } - }, - "histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "interval": { - "type": "double" + }, + "histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "interval": { + "type": "double" + } } } } + }, + "aggregations": { + "type": "object", + "enabled": false } - }, - "aggregations": { - "type": "object", - "enabled": false } } } - } - }, - "shrink": { - "properties": { - "num_new_shards": { - "type": "integer" - }, - "max_shard_size": { - "type": "keyword" - }, - "percentage_of_source_shards": { - "type": "double" - }, - "target_index_name_template": { - "type": "object", - "enabled": false - }, - "aliases": { - "type": "object", - "enabled": false - }, - "switch_aliases": { - "type": "boolean" - }, - "force_unsafe": { - "type": "boolean" + }, + "shrink": { + "properties": { + "num_new_shards": { + "type": "integer" + }, + "max_shard_size": { + "type": "keyword" + }, + "percentage_of_source_shards": { + "type": "double" + }, + "target_index_name_template": { + "type": "object", + "enabled": false + }, + "aliases": { + "type": "object", + "enabled": false + }, + "switch_aliases": { + "type": "boolean" + }, + "force_unsafe": { + "type": "boolean" + } } + }, + "custom": { + "enabled": false, + "type": "object" } - }, - "custom": { - "enabled": false, - "type": "object" } - } - }, - "transitions": { - "type": "nested", - "properties": { - "state_name": { - "type": "keyword" - }, - "conditions": { - "type": "object", - "enabled": false + }, + "transitions": { + "type": "nested", + "properties": { + "state_name": { + "type": "keyword" + }, + "conditions": { + "type": "object", + "enabled": false + } } } } - } - }, - "ism_template": { - "properties": { - "index_patterns": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "last_updated_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" + }, + "ism_template": { + "properties": { + "index_patterns": { + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "last_updated_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + } } - } - }, - "user": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "backend_roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "backend_roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "custom_attribute_names": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "custom_attribute_names": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } } } } } - } - }, - "managed_index": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "managed_index": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "enabled": { - "type": "boolean" - }, - "enabled_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "index": { - "type": "keyword" - }, - "index_uuid": { - "type": "keyword" - }, - "last_updated_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "policy_seq_no": { - "type": "long" - }, - "policy_primary_term": { - "type": "long" - }, - "policy_id": { - "type": "keyword" - }, - "policy": { - "type": "object", - "enabled": false - }, - "change_policy": { - "properties": { - "policy_id": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "is_safe": { - "type": "boolean" - }, - "user": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "enabled": { + "type": "boolean" + }, + "enabled_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "index": { + "type": "keyword" + }, + "index_uuid": { + "type": "keyword" + }, + "last_updated_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "policy_seq_no": { + "type": "long" + }, + "policy_primary_term": { + "type": "long" + }, + "policy_id": { + "type": "keyword" + }, + "policy": { + "type": "object", + "enabled": false + }, + "change_policy": { + "properties": { + "policy_id": { + "type": "keyword" + }, + "state": { + "type": "keyword" + }, + "is_safe": { + "type": "boolean" + }, + "user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "backend_roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "backend_roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "custom_attribute_names": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "custom_attribute_names": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } } } } } - } - }, - "schedule": { - "properties": { - "interval": { - "properties": { - "period": { - "type": "integer" - }, - "unit": { - "type": "keyword" - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schedule_delay": { - "type": "long" + }, + "schedule": { + "properties": { + "interval": { + "properties": { + "period": { + "type": "integer" + }, + "unit": { + "type": "keyword" + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schedule_delay": { + "type": "long" + } } - } - }, - "cron": { - "properties": { - "expression": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "schedule_delay": { - "type": "long" + }, + "cron": { + "properties": { + "expression": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "schedule_delay": { + "type": "long" + } } } } + }, + "jitter": { + "type": "double" } - }, - "jitter": { - "type": "double" } - } - }, - "managed_index_metadata": { - "properties": { - "index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "index_uuid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "policy_seq_no": { - "type": "long" - }, - "policy_primary_term": { - "type": "long" - }, - "policy_completed": { - "type": "boolean" - }, - "rolled_over": { - "type": "boolean" - }, - "rolled_over_index_name": { - "type": "keyword" - }, - "index_creation_date": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "transition_to": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "state": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } + }, + "managed_index_metadata": { + "properties": { + "index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 } - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" } - } - }, - "action": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } + }, + "index_uuid": { + "type": "keyword" + }, + "policy_id": { + "type": "keyword" + }, + "policy_seq_no": { + "type": "long" + }, + "policy_primary_term": { + "type": "long" + }, + "policy_completed": { + "type": "boolean" + }, + "rolled_over": { + "type": "boolean" + }, + "rolled_over_index_name": { + "type": "keyword" + }, + "index_creation_date": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "transition_to": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 } - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "index": { - "type": "integer" - }, - "failed": { - "type": "boolean" - }, - "consumed_retries": { - "type": "integer" - }, - "last_retry_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "action_properties": { - "properties": { - "max_num_segments": { - "type": "integer" - }, - "snapshot_name": { - "type": "keyword" - }, - "rollup_id": { - "type": "keyword" - }, - "has_rollup_failed": { - "type": "boolean" - }, - "shrink_action_properties": { - "type": "object", - "enabled": false - }, - "transform_action_properties": { - "type": "object", - "enabled": false + } + }, + "state": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + } + } + }, + "action": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "index": { + "type": "integer" + }, + "failed": { + "type": "boolean" + }, + "consumed_retries": { + "type": "integer" + }, + "last_retry_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "action_properties": { + "properties": { + "max_num_segments": { + "type": "integer" + }, + "snapshot_name": { + "type": "keyword" + }, + "rollup_id": { + "type": "keyword" + }, + "has_rollup_failed": { + "type": "boolean" + }, + "shrink_action_properties": { + "type": "object", + "enabled": false + }, + "transform_action_properties": { + "type": "object", + "enabled": false + } } } } - } - }, - "step": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "step": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "step_status": { + "type": "keyword" } - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "step_status": { - "type": "keyword" } - } - }, - "retry_info": { - "properties": { - "failed": { - "type": "boolean" - }, - "consumed_retries": { - "type": "integer" + }, + "retry_info": { + "properties": { + "failed": { + "type": "boolean" + }, + "consumed_retries": { + "type": "integer" + } } + }, + "info": { + "type": "object", + "enabled": false } - }, - "info": { - "type": "object", - "enabled": false } - } - }, - "rollup": { - "properties": { - "rollup_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "enabled": { - "type": "boolean" - }, - "enabled_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "last_updated_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schema_version": { - "type": "long" - }, - "schedule": { - "properties": { - "interval": { - "properties": { - "period": { - "type": "integer" - }, - "unit": { - "type": "keyword" - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schedule_delay": { - "type": "long" - } + }, + "rollup": { + "properties": { + "rollup_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 } - }, - "cron": { - "properties": { - "expression": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "schedule_delay": { - "type": "long" + } + }, + "enabled": { + "type": "boolean" + }, + "enabled_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "last_updated_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schema_version": { + "type": "long" + }, + "schedule": { + "properties": { + "interval": { + "properties": { + "period": { + "type": "integer" + }, + "unit": { + "type": "keyword" + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schedule_delay": { + "type": "long" + } + } + }, + "cron": { + "properties": { + "expression": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "schedule_delay": { + "type": "long" + } } } } - } - }, - "description": { - "type": "text" - }, - "source_index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "target_index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "page_size": { - "type": "long" - }, - "metadata_id": { - "type": "keyword" - }, - "delay": { - "type": "long" - }, - "continuous": { - "type": "boolean" - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "dimensions": { - "properties": { - "date_histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "fixed_interval": { - "type": "keyword" - }, - "calendar_interval": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - } + }, + "description": { + "type": "text" + }, + "source_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 } - }, - "terms": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - } + } + }, + "target_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 } - }, - "histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "interval": { - "type": "double" + } + }, + "page_size": { + "type": "long" + }, + "metadata_id": { + "type": "keyword" + }, + "delay": { + "type": "long" + }, + "continuous": { + "type": "boolean" + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "dimensions": { + "properties": { + "date_histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "fixed_interval": { + "type": "keyword" + }, + "calendar_interval": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + } + } + }, + "terms": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + } + } + }, + "histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "interval": { + "type": "double" + } } } } - } - }, - "metrics": { - "type": "nested", - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "metrics": { - "type": "nested", - "properties": { - "avg": { - "type": "object" - }, - "max": { - "type": "object" - }, - "min": { - "type": "object" - }, - "sum": { - "type": "object" - }, - "value_count": { - "type": "object" + }, + "metrics": { + "type": "nested", + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "metrics": { + "type": "nested", + "properties": { + "avg": { + "type": "object" + }, + "max": { + "type": "object" + }, + "min": { + "type": "object" + }, + "sum": { + "type": "object" + }, + "value_count": { + "type": "object" + } } } } - } - }, - "user": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "backend_roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "backend_roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "custom_attribute_names": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "custom_attribute_names": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } } } } } - } - }, - "rollup_metadata": { - "properties": { - "rollup_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "rollup_metadata": { + "properties": { + "rollup_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "after_key": { - "type": "object", - "enabled": false - }, - "last_updated_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "continuous": { - "properties": { - "next_window_start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "next_window_end_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" + }, + "after_key": { + "type": "object", + "enabled": false + }, + "last_updated_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "continuous": { + "properties": { + "next_window_start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "next_window_end_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + } } + }, + "status": { + "type": "keyword" + }, + "failure_reason": { + "type": "text" + }, + "stats": { + "type": "object", + "enabled": false } - }, - "status": { - "type": "keyword" - }, - "failure_reason": { - "type": "text" - }, - "stats": { - "type": "object", - "enabled": false } - } - }, - "transform": { - "properties": { - "transform_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "enabled": { - "type": "boolean" - }, - "enabled_at": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "updated_at": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schema_version": { - "type": "long" - }, - "schedule": { - "properties": { - "interval": { - "properties": { - "period": { - "type": "integer" - }, - "unit": { - "type": "keyword" - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schedule_delay": { - "type": "long" - } - } - }, - "cron": { - "properties": { - "expression": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "schedule_delay": { - "type": "long" - } + }, + "transform": { + "properties": { + "transform_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 } } - } - }, - "description": { - "type": "text" - }, - "source_index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "target_index": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "page_size": { - "type": "long" - }, - "metadata_id": { - "type": "keyword" - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "groups": { - "properties": { - "date_histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "fixed_interval": { - "type": "keyword" - }, - "calendar_interval": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "format": { - "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "enabled_at": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "updated_at": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schema_version": { + "type": "long" + }, + "schedule": { + "properties": { + "interval": { + "properties": { + "period": { + "type": "integer" + }, + "unit": { + "type": "keyword" + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schedule_delay": { + "type": "long" + } } - } - }, - "terms": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - } - } - }, - "histogram": { - "properties": { - "source_field": { - "type": "keyword" - }, - "target_field": { - "type": "keyword" - }, - "interval": { - "type": "double" - } - } - } - } - }, - "aggregations": { - "type": "object", - "enabled": false - }, - "data_selection_query": { - "type": "object", - "enabled": false - }, - "user": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "backend_roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" - } - } - }, - "custom_attribute_names": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" - } - } - } - } - }, - "continuous": { - "type": "boolean" - } - } - }, - "transform_metadata": { - "properties": { - "transform_id": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 - } - } - }, - "after_key": { - "type": "object", - "enabled": false - }, - "last_updated_at": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "status": { - "type": "keyword" - }, - "failure_reason": { - "type": "text" - }, - "stats": { - "type": "object", - "enabled": false - }, - "continuous_stats": { - "type": "object", - "enabled": false - }, - "shard_id_to_global_checkpoint": { - "type": "object", - "enabled": false - } - } - }, - "sm_policy": { - "properties": { - "name": { - "type": "keyword" - }, - "description": { - "type": "text" - }, - "schema_version": { - "type": "long" - }, - "creation": { - "properties": { - "schedule": { - "properties": { - "cron": { - "properties": { - "expression": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "schedule_delay": { - "type": "long" - } + }, + "cron": { + "properties": { + "expression": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "schedule_delay": { + "type": "long" } } } - }, - "time_limit": { - "type": "keyword" } - } - }, - "deletion": { - "properties": { - "schedule": { - "properties": { - "cron": { - "properties": { - "expression": { - "type": "keyword" - }, - "timezone": { - "type": "keyword" - }, - "schedule_delay": { - "type": "long" - } + }, + "description": { + "type": "text" + }, + "source_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "target_index": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "page_size": { + "type": "long" + }, + "metadata_id": { + "type": "keyword" + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "groups": { + "properties": { + "date_histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "fixed_interval": { + "type": "keyword" + }, + "calendar_interval": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "format": { + "type": "keyword" + } + } + }, + "terms": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + } + } + }, + "histogram": { + "properties": { + "source_field": { + "type": "keyword" + }, + "target_field": { + "type": "keyword" + }, + "interval": { + "type": "double" } } } - }, - "time_limit": { - "type": "keyword" - }, - "condition": { - "properties": { - "max_count": { - "type": "integer" - }, - "max_age": { - "type": "keyword" - }, - "min_count": { - "type": "integer" + } + }, + "aggregations": { + "type": "object", + "enabled": false + }, + "data_selection_query": { + "type": "object", + "enabled": false + }, + "user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "backend_roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "custom_attribute_names": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } } } + }, + "continuous": { + "type": "boolean" } - }, - "snapshot_config": { - "type": "object", - "enabled": false - }, - "enabled": { - "type": "boolean" - }, - "enabled_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "last_updated_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schedule": { - "properties": { - "interval": { - "properties": { - "period": { - "type": "integer" - }, - "unit": { - "type": "keyword" - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "schedule_delay": { - "type": "long" + } + }, + "transform_metadata": { + "properties": { + "transform_id": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } + } + }, + "after_key": { + "type": "object", + "enabled": false + }, + "last_updated_at": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "status": { + "type": "keyword" + }, + "failure_reason": { + "type": "text" + }, + "stats": { + "type": "object", + "enabled": false + }, + "continuous_stats": { + "type": "object", + "enabled": false + }, + "shard_id_to_global_checkpoint": { + "type": "object", + "enabled": false + } + } + }, + "sm_policy": { + "properties": { + "name": { + "type": "keyword" + }, + "description": { + "type": "text" + }, + "schema_version": { + "type": "long" + }, + "creation": { + "properties": { + "schedule": { + "properties": { + "cron": { + "properties": { + "expression": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "schedule_delay": { + "type": "long" + } + } + } + } + }, + "time_limit": { + "type": "keyword" + } + } + }, + "deletion": { + "properties": { + "schedule": { + "properties": { + "cron": { + "properties": { + "expression": { + "type": "keyword" + }, + "timezone": { + "type": "keyword" + }, + "schedule_delay": { + "type": "long" + } + } + } + } + }, + "time_limit": { + "type": "keyword" + }, + "condition": { + "properties": { + "max_count": { + "type": "integer" + }, + "max_age": { + "type": "keyword" + }, + "min_count": { + "type": "integer" + } } } } - } - }, - "notification": { - "properties": { - "channel": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "conditions": { - "properties": { - "creation": { - "type": "boolean" - }, - "deletion": { - "type": "boolean" - }, - "failure": { - "type": "boolean" - }, - "time_limit_exceeded": { - "type": "boolean" + }, + "snapshot_config": { + "type": "object", + "enabled": false + }, + "enabled": { + "type": "boolean" + }, + "enabled_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "last_updated_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schedule": { + "properties": { + "interval": { + "properties": { + "period": { + "type": "integer" + }, + "unit": { + "type": "keyword" + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "schedule_delay": { + "type": "long" + } } } } - } - }, - "user": { - "properties": { - "name": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword", - "ignore_above": 256 + }, + "notification": { + "properties": { + "channel": { + "properties": { + "id": { + "type": "keyword" + } + } + }, + "conditions": { + "properties": { + "creation": { + "type": "boolean" + }, + "deletion": { + "type": "boolean" + }, + "failure": { + "type": "boolean" + }, + "time_limit_exceeded": { + "type": "boolean" + } } } - }, - "backend_roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + } + }, + "user": { + "properties": { + "name": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword", + "ignore_above": 256 + } } - } - }, - "roles": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "backend_roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } - } - }, - "custom_attribute_names": { - "type": "text", - "fields": { - "keyword": { - "type": "keyword" + }, + "roles": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } + } + }, + "custom_attribute_names": { + "type": "text", + "fields": { + "keyword": { + "type": "keyword" + } } } } } } - } - }, - "sm_metadata": { - "properties": { - "name": { - "type": "keyword" - }, - "policy_seq_no": { - "type": "long" - }, - "policy_primary_term": { - "type": "long" - }, - "current_state": { - "type": "keyword" - }, - "creation": { - "properties": { - "current_state": { - "type": "keyword" - }, - "trigger": { - "properties": { - "time": { - "type": "date", - "format": "strict_date_time||epoch_millis" + }, + "sm_metadata": { + "properties": { + "name": { + "type": "keyword" + }, + "policy_seq_no": { + "type": "long" + }, + "policy_primary_term": { + "type": "long" + }, + "current_state": { + "type": "keyword" + }, + "creation": { + "properties": { + "current_state": { + "type": "keyword" + }, + "trigger": { + "properties": { + "time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + } } - } - }, - "started": { - "type": "keyword" - }, - "latest_execution": { - "properties": { - "status": { - "type": "keyword" - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "end_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "info": { - "properties": { - "message": { - "type": "text" - }, - "cause": { - "type": "text" + }, + "started": { + "type": "keyword" + }, + "latest_execution": { + "properties": { + "status": { + "type": "keyword" + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "end_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "info": { + "properties": { + "message": { + "type": "text" + }, + "cause": { + "type": "text" + } } } } - } - }, - "retry": { - "properties": { - "count": { - "type": "integer" + }, + "retry": { + "properties": { + "count": { + "type": "integer" + } } } } - } - }, - "deletion": { - "properties": { - "current_state": { - "type": "keyword" - }, - "trigger": { - "properties": { - "time": { - "type": "date", - "format": "strict_date_time||epoch_millis" + }, + "deletion": { + "properties": { + "current_state": { + "type": "keyword" + }, + "trigger": { + "properties": { + "time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + } } - } - }, - "started": { - "type": "keyword" - }, - "latest_execution": { - "properties": { - "status": { - "type": "keyword" - }, - "start_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "end_time": { - "type": "date", - "format": "strict_date_time||epoch_millis" - }, - "info": { - "properties": { - "message": { - "type": "text" - }, - "cause": { - "type": "text" + }, + "started": { + "type": "keyword" + }, + "latest_execution": { + "properties": { + "status": { + "type": "keyword" + }, + "start_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "end_time": { + "type": "date", + "format": "strict_date_time||epoch_millis" + }, + "info": { + "properties": { + "message": { + "type": "text" + }, + "cause": { + "type": "text" + } } } } - } - }, - "retry": { - "properties": { - "count": { - "type": "integer" + }, + "retry": { + "properties": { + "count": { + "type": "integer" + } } } } @@ -1699,14 +1710,5 @@ } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "refresh_interval": "5s", - "hidden": true - } } } diff --git a/plugins/setup/src/main/resources/templates/monitoring.json b/plugins/setup/src/main/resources/templates/monitoring.json index 10602481..37a6e9a9 100644 --- a/plugins/setup/src/main/resources/templates/monitoring.json +++ b/plugins/setup/src/main/resources/templates/monitoring.json @@ -1,40 +1,42 @@ { - "order": 1, "index_patterns": [ "wazuh-monitoring*" ], - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "refresh_interval": "5s" - } - }, - "mappings": { - "properties": { - "timestamp": { - "type": "date", - "format": "date" - }, - "status": { - "type": "keyword" - }, - "ip": { - "type": "keyword" - }, - "host": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "refresh_interval": "5s" + } + }, + "mappings": { + "properties": { + "timestamp": { + "type": "date", + "format": "date" + }, + "status": { + "type": "keyword" + }, + "ip": { + "type": "keyword" + }, + "host": { + "type": "keyword" + }, + "name": { + "type": "keyword" + }, + "id": { + "type": "keyword" + }, + "cluster": { + "properties": { + "name": { + "type": "keyword" + } } } } diff --git a/plugins/setup/src/main/resources/templates/states/fim-files.json b/plugins/setup/src/main/resources/templates/states/fim-files.json index 300c2e9d..6a5ed125 100644 --- a/plugins/setup/src/main/resources/templates/states/fim-files.json +++ b/plugins/setup/src/main/resources/templates/states/fim-files.json @@ -2,219 +2,221 @@ "index_patterns": [ "wazuh-states-fim-files*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.groups ", + "agent.host.architecture ", + "agent.host.hostname ", + "agent.host.ip ", + "agent.host.os.name ", + "agent.host.os.platform ", + "agent.host.os.type ", + "agent.host.os.version ", + "agent.id ", + "agent.name ", + "agent.version ", + "checksum.hash.sha1", + "file.attributes", + "file.device", + "file.gid", + "file.group", + "file.hash.md5", + "file.hash.sha1", + "file.hash.sha256", + "file.inode", + "file.mtime", + "file.owner", + "file.path", + "file.path.fields.text", + "file.permissions", + "file.size", + "file.uid", + "state.document_version", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "file": { - "properties": { - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "permissions": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "permissions": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.groups ", - "agent.host.architecture ", - "agent.host.hostname ", - "agent.host.ip ", - "agent.host.os.name ", - "agent.host.os.platform ", - "agent.host.os.type ", - "agent.host.os.version ", - "agent.id ", - "agent.name ", - "agent.version ", - "checksum.hash.sha1", - "file.attributes", - "file.device", - "file.gid", - "file.group", - "file.hash.md5", - "file.hash.sha1", - "file.hash.sha256", - "file.inode", - "file.mtime", - "file.owner", - "file.path", - "file.path.fields.text", - "file.permissions", - "file.size", - "file.uid", - "state.document_version", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/fim-registry-keys.json b/plugins/setup/src/main/resources/templates/states/fim-registry-keys.json index 2a6324c7..331b882b 100644 --- a/plugins/setup/src/main/resources/templates/states/fim-registry-keys.json +++ b/plugins/setup/src/main/resources/templates/states/fim-registry-keys.json @@ -2,188 +2,190 @@ "index_patterns": [ "wazuh-states-fim-registry-keys*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "checksum.hash.sha1", + "registry.architecture", + "registry.gid", + "registry.group", + "registry.hive", + "registry.key", + "registry.mtime", + "registry.owner", + "registry.path", + "registry.permissions", + "registry.uid", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "permissions": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "permissions": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "checksum.hash.sha1", - "registry.architecture", - "registry.gid", - "registry.group", - "registry.hive", - "registry.key", - "registry.mtime", - "registry.owner", - "registry.path", - "registry.permissions", - "registry.uid", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/fim-registry-values.json b/plugins/setup/src/main/resources/templates/states/fim-registry-values.json index 842a316a..87b93dd2 100644 --- a/plugins/setup/src/main/resources/templates/states/fim-registry-values.json +++ b/plugins/setup/src/main/resources/templates/states/fim-registry-values.json @@ -2,196 +2,198 @@ "index_patterns": [ "wazuh-states-fim-registry-values*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "checksum.hash.sha1", + "registry.architecture", + "registry.data.hash.md5", + "registry.data.hash.sha1", + "registry.data.hash.sha256", + "registry.data.type", + "registry.hive", + "registry.key", + "registry.path", + "registry.size", + "registry.value", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "properties": { - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "properties": { + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "checksum.hash.sha1", - "registry.architecture", - "registry.data.hash.md5", - "registry.data.hash.sha1", - "registry.data.hash.sha256", - "registry.data.type", - "registry.hive", - "registry.key", - "registry.path", - "registry.size", - "registry.value", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-browser-extensions.json b/plugins/setup/src/main/resources/templates/states/inventory-browser-extensions.json index d8c53759..09751aca 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-browser-extensions.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-browser-extensions.json @@ -2,246 +2,248 @@ "index_patterns": [ "wazuh-states-inventory-browser-extensions*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "browser.name", + "user.id", + "package.name", + "package.id", + "package.version", + "package.vendor", + "package.type", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "browser": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "referenced": { - "type": "boolean" + }, + "browser": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "referenced": { + "type": "boolean" + } } } } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "file": { - "properties": { - "hash": { - "properties": { - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "hash": { + "properties": { + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "package": { - "properties": { - "autoupdate": { - "type": "boolean" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enabled": { - "type": "boolean" - }, - "from_webstore": { - "type": "boolean" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "permissions": { - "ignore_above": 1024, - "type": "keyword" - }, - "persistent": { - "type": "boolean" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "visible": { - "type": "boolean" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "package": { + "properties": { + "autoupdate": { + "type": "boolean" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "type": "boolean" + }, + "from_webstore": { + "type": "boolean" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "permissions": { + "ignore_above": 1024, + "type": "keyword" + }, + "persistent": { + "type": "boolean" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "visible": { + "type": "boolean" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "browser.name", - "user.id", - "package.name", - "package.id", - "package.version", - "package.vendor", - "package.type", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-groups.json b/plugins/setup/src/main/resources/templates/states/inventory-groups.json index fbf5853b..d86f828d 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-groups.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-groups.json @@ -2,159 +2,161 @@ "index_patterns": [ "wazuh-states-inventory-groups*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "group.name", + "group.description", + "group.id_signed", + "group.uuid", + "group.users", + "state.modified_at" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "group": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "type": "unsigned_long" - }, - "id_signed": { - "type": "long" - }, - "is_hidden": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "users": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "group": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "type": "unsigned_long" + }, + "id_signed": { + "type": "long" + }, + "is_hidden": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "users": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "group.name", - "group.description", - "group.id_signed", - "group.uuid", - "group.users", - "state.modified_at" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-hardware.json b/plugins/setup/src/main/resources/templates/states/inventory-hardware.json index 327dfc8d..704ee5cc 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-hardware.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-hardware.json @@ -2,175 +2,177 @@ "index_patterns": [ "wazuh-states-inventory-hardware*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "agent.host.ip", + "host.serial_number", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "host": { - "properties": { - "cpu": { - "properties": { - "cores": { - "type": "short" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" + }, + "host": { + "properties": { + "cpu": { + "properties": { + "cores": { + "type": "short" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + } } - } - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "usage": { - "scaling_factor": 100, - "type": "scaled_float" - }, - "used": { - "type": "long" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "usage": { + "scaling_factor": 100, + "type": "scaled_float" + }, + "used": { + "type": "long" + } } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "agent.host.ip", - "host.serial_number", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-hotfixes.json b/plugins/setup/src/main/resources/templates/states/inventory-hotfixes.json index e6fdc722..06e42f03 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-hotfixes.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-hotfixes.json @@ -2,148 +2,150 @@ "index_patterns": [ "wazuh-states-inventory-hotfixes*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "package.hotfix.name", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "package": { - "properties": { - "hotfix": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "package": { + "properties": { + "hotfix": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "package.hotfix.name", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-interfaces.json b/plugins/setup/src/main/resources/templates/states/inventory-interfaces.json index 4c477249..63381ef7 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-interfaces.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-interfaces.json @@ -2,202 +2,204 @@ "index_patterns": [ "wazuh-states-inventory-interfaces*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.id", + "agent.name", + "agent.version", + "agent.host.ip", + "host.mac", + "interface.name", + "interface.alias", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "host": { - "properties": { - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" + }, + "host": { + "properties": { + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + } } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + } } } } } } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.id", - "agent.name", - "agent.version", - "agent.host.ip", - "host.mac", - "interface.name", - "interface.alias", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-networks.json b/plugins/setup/src/main/resources/templates/states/inventory-networks.json index 795a93bb..4dc4a964 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-networks.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-networks.json @@ -2,166 +2,168 @@ "index_patterns": [ "wazuh-states-inventory-networks*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.id", + "agent.name", + "agent.version", + "agent.host.ip", + "interface.name", + "network.ip", + "network.name", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "interface": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "broadcast": { - "type": "ip" - }, - "dhcp": { - "type": "boolean" - }, - "ip": { - "type": "ip" - }, - "metric": { - "type": "long" - }, - "netmask": { - "type": "ip" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "interface": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "broadcast": { + "type": "ip" + }, + "dhcp": { + "type": "boolean" + }, + "ip": { + "type": "ip" + }, + "metric": { + "type": "long" + }, + "netmask": { + "type": "ip" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.id", - "agent.name", - "agent.version", - "agent.host.ip", - "interface.name", - "network.ip", - "network.name", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-packages.json b/plugins/setup/src/main/resources/templates/states/inventory-packages.json index e5103fab..a2637f37 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-packages.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-packages.json @@ -2,201 +2,203 @@ "index_patterns": [ "wazuh-states-inventory-packages*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "package.architecture", + "package.category", + "package.description", + "package.installed", + "package.multiarch", + "package.name", + "package.path", + "package.priority", + "package.size", + "package.source", + "package.type", + "package.vendor", + "package.version", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "multiarch": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "multiarch": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "package.architecture", - "package.category", - "package.description", - "package.installed", - "package.multiarch", - "package.name", - "package.path", - "package.priority", - "package.size", - "package.source", - "package.type", - "package.vendor", - "package.version", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-ports.json b/plugins/setup/src/main/resources/templates/states/inventory-ports.json index e9782f57..107f584e 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-ports.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-ports.json @@ -2,220 +2,222 @@ "index_patterns": [ "wazuh-states-inventory-ports*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "host.network.egress.queue", + "host.network.ingress.queue", + "file.inode", + "interface.state", + "network.transport", + "process.name", + "process.pid", + "source.ip", + "destination.ip", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "destination": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" + }, + "destination": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } } - } - }, - "file": { - "properties": { - "inode": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "inode": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "host": { - "properties": { - "network": { - "properties": { - "egress": { - "properties": { - "queue": { - "type": "long" + }, + "host": { + "properties": { + "network": { + "properties": { + "egress": { + "properties": { + "queue": { + "type": "long" + } } - } - }, - "ingress": { - "properties": { - "queue": { - "type": "long" + }, + "ingress": { + "properties": { + "queue": { + "type": "long" + } } } } } } - } - }, - "interface": { - "properties": { - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "transport": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - } - } - }, - "source": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "interface": { + "properties": { + "state": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "transport": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + } + } + }, + "source": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "host.network.egress.queue", - "host.network.ingress.queue", - "file.inode", - "interface.state", - "network.transport", - "process.name", - "process.pid", - "source.ip", - "destination.ip", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-processes.json b/plugins/setup/src/main/resources/templates/states/inventory-processes.json index 08488533..dcc977b2 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-processes.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-processes.json @@ -2,186 +2,188 @@ "index_patterns": [ "wazuh-states-inventory-processes*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "process.args", + "process.args_count", + "process.command_line", + "process.name", + "process.parent.pid", + "process.pid", + "process.start", + "process.state", + "process.stime", + "process.utime", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "pid": { - "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "pid": { + "type": "long" + } } + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stime": { + "type": "long" + }, + "utime": { + "type": "long" } - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "stime": { - "type": "long" - }, - "utime": { - "type": "long" } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "process.args", - "process.args_count", - "process.command_line", - "process.name", - "process.parent.pid", - "process.pid", - "process.start", - "process.state", - "process.stime", - "process.utime", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-protocols.json b/plugins/setup/src/main/resources/templates/states/inventory-protocols.json index d0f59d0d..390a922a 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-protocols.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-protocols.json @@ -2,161 +2,163 @@ "index_patterns": [ "wazuh-states-inventory-protocols*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "network.type", + "interface.name", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "interface": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "dhcp": { - "type": "boolean" - }, - "gateway": { - "type": "ip" - }, - "metric": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "interface": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "dhcp": { + "type": "boolean" + }, + "gateway": { + "type": "ip" + }, + "metric": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "network.type", - "interface.name", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-services.json b/plugins/setup/src/main/resources/templates/states/inventory-services.json index 8f46bd91..a2eb7513 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-services.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-services.json @@ -2,321 +2,323 @@ "index_patterns": [ "wazuh-states-inventory-services*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "service.name", + "service.id", + "service.description", + "service.enabled", + "service.restart", + "service.state", + "service.sub_state", + "service.type", + "service.start_type", + "process.executable", + "file.path", + "log.file.path", + "error.log.file.path", + "process.args", + "process.user.name", + "process.group.name", + "service.address", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "error": { - "properties": { - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" + }, + "error": { + "properties": { + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } - } - }, - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid": { - "type": "long" - }, - "root_directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid": { + "type": "long" + }, + "root_directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" } - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "integer" - }, - "following": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "inetd_compatibility": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "restart": { - "ignore_above": 1024, - "type": "keyword" - }, - "start_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "starts": { - "properties": { - "on_mount": { - "type": "boolean" - }, - "on_not_empty_directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "on_path_modified": { - "ignore_above": 1024, - "type": "keyword" + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "integer" + }, + "following": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "inetd_compatibility": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "restart": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "starts": { + "properties": { + "on_mount": { + "type": "boolean" + }, + "on_not_empty_directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "on_path_modified": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "win32_exit_code": { + "type": "integer" } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "win32_exit_code": { - "type": "integer" } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "service.name", - "service.id", - "service.description", - "service.enabled", - "service.restart", - "service.state", - "service.sub_state", - "service.type", - "service.start_type", - "process.executable", - "file.path", - "log.file.path", - "error.log.file.path", - "process.args", - "process.user.name", - "process.group.name", - "service.address", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-system.json b/plugins/setup/src/main/resources/templates/states/inventory-system.json index 3c47810f..494176db 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-system.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-system.json @@ -2,230 +2,232 @@ "index_patterns": [ "wazuh-states-inventory-system*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "host.architecture", + "host.hostname", + "host.os.build", + "host.os.codename", + "host.os.distribution.release", + "host.os.full", + "host.os.kernel.name", + "host.os.kernel.release", + "host.os.kernel.version", + "host.os.major", + "host.os.minor", + "host.os.name", + "host.os.patch", + "host.os.platform", + "host.os.type", + "host.os.version", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "build": { - "ignore_above": 1024, - "type": "keyword" - }, - "codename": { - "ignore_above": 1024, - "type": "keyword" - }, - "distribution": { - "properties": { - "release": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" } - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "release": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + } + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "build": { + "ignore_above": 1024, + "type": "keyword" + }, + "codename": { + "ignore_above": 1024, + "type": "keyword" + }, + "distribution": { + "properties": { + "release": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "release": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "patch": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "patch": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "host.architecture", - "host.hostname", - "host.os.build", - "host.os.codename", - "host.os.distribution.release", - "host.os.full", - "host.os.kernel.name", - "host.os.kernel.release", - "host.os.kernel.version", - "host.os.major", - "host.os.minor", - "host.os.name", - "host.os.patch", - "host.os.platform", - "host.os.type", - "host.os.version", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/inventory-users.json b/plugins/setup/src/main/resources/templates/states/inventory-users.json index 70ab3bc7..4cc10ad6 100644 --- a/plugins/setup/src/main/resources/templates/states/inventory-users.json +++ b/plugins/setup/src/main/resources/templates/states/inventory-users.json @@ -2,286 +2,288 @@ "index_patterns": [ "wazuh-states-inventory-users*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "user.id", + "user.name", + "user.home", + "user.type", + "user.created", + "user.groups", + "user.uuid", + "user.auth_failures.timestamp", + "user.auth_failures.count", + "user.group.id_signed", + "user.login.status", + "user.login.type", + "user.login.tty", + "user.password.status", + "user.password.last_change", + "user.password.expiration_date", + "user.roles", + "user.last_login", + "process.pid", + "host.ip", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "host": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "login": { - "properties": { - "status": { - "type": "boolean" - }, - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "user": { - "properties": { - "auth_failures": { - "properties": { - "count": { - "type": "integer" - }, - "timestamp": { - "type": "date" - } + }, + "host": { + "properties": { + "ip": { + "type": "ip" } - }, - "created": { - "type": "date" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "type": "unsigned_long" - }, - "id_signed": { - "type": "long" - } - } - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "home": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_hidden": { - "type": "boolean" - }, - "is_remote": { - "type": "boolean" - }, - "last_login": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "properties": { - "expiration_date": { - "type": "date" - }, - "hash_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "inactive_days": { - "type": "integer" - }, - "last_change": { - "type": "integer" - }, - "last_set_time": { - "type": "date" - }, - "max_days_between_changes": { - "type": "integer" - }, - "min_days_between_changes": { - "type": "integer" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "warning_days_before_expiration": { - "type": "integer" - } - } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "shell": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid_signed": { - "type": "long" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "login": { + "properties": { + "status": { + "type": "boolean" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + } + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "user": { + "properties": { + "auth_failures": { + "properties": { + "count": { + "type": "integer" + }, + "timestamp": { + "type": "date" + } + } + }, + "created": { + "type": "date" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "type": "unsigned_long" + }, + "id_signed": { + "type": "long" + } + } + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "home": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_hidden": { + "type": "boolean" + }, + "is_remote": { + "type": "boolean" + }, + "last_login": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "properties": { + "expiration_date": { + "type": "date" + }, + "hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "inactive_days": { + "type": "integer" + }, + "last_change": { + "type": "integer" + }, + "last_set_time": { + "type": "date" + }, + "max_days_between_changes": { + "type": "integer" + }, + "min_days_between_changes": { + "type": "integer" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "warning_days_before_expiration": { + "type": "integer" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "shell": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid_signed": { + "type": "long" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "user.id", - "user.name", - "user.home", - "user.type", - "user.created", - "user.groups", - "user.uuid", - "user.auth_failures.timestamp", - "user.auth_failures.count", - "user.group.id_signed", - "user.login.status", - "user.login.type", - "user.login.tty", - "user.password.status", - "user.password.last_change", - "user.password.expiration_date", - "user.roles", - "user.last_login", - "process.pid", - "host.ip", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/sca.json b/plugins/setup/src/main/resources/templates/states/sca.json index 6d869b24..35016f09 100644 --- a/plugins/setup/src/main/resources/templates/states/sca.json +++ b/plugins/setup/src/main/resources/templates/states/sca.json @@ -2,212 +2,214 @@ "index_patterns": [ "wazuh-states-sca*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.id", + "agent.groups", + "check.name", + "check.id", + "checksum.hash.sha1", + "host.name", + "host.os.type", + "host.os.version", + "policy.id", + "policy.name", + "policy.file", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "5s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.id", - "agent.groups", - "check.name", - "check.id", - "checksum.hash.sha1", - "host.name", - "host.os.type", - "host.os.version", - "policy.id", - "policy.name", - "policy.file", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "5s" - } } } diff --git a/plugins/setup/src/main/resources/templates/states/vulnerabilities.json b/plugins/setup/src/main/resources/templates/states/vulnerabilities.json index f3bb9a80..aa36a06f 100644 --- a/plugins/setup/src/main/resources/templates/states/vulnerabilities.json +++ b/plugins/setup/src/main/resources/templates/states/vulnerabilities.json @@ -2,336 +2,338 @@ "index_patterns": [ "wazuh-states-vulnerabilities*" ], - "mappings": { - "date_detection": false, - "dynamic": "strict", - "properties": { - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" + "priority": 1, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "codec": "best_compression", + "number_of_replicas": "0", + "number_of_shards": "1", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "package.architecture", + "package.category", + "package.description", + "package.installed", + "package.multiarch", + "package.name", + "package.path", + "package.priority", + "package.size", + "package.source", + "package.type", + "package.vendor", + "package.version", + "vulnerability.id", + "vulnerability.description", + "vulnerability.severity", + "state.modified_at", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + } + }, + "mappings": { + "date_detection": false, + "dynamic": "strict", + "properties": { + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "os": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "os": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "checksum": { - "properties": { - "hash": { - "properties": { - "sha1": { - "ignore_above": 1024, - "type": "keyword" + }, + "checksum": { + "properties": { + "hash": { + "properties": { + "sha1": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "host": { - "properties": { - "os": { - "properties": { - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "host": { + "properties": { + "os": { + "properties": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "properties": { - "document_version": { - "type": "integer" - }, - "modified_at": { - "type": "date" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "detected_at": { - "type": "date" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "published_at": { - "type": "date" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "under_evaluation": { - "type": "boolean" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "state": { + "properties": { + "document_version": { + "type": "integer" + }, + "modified_at": { + "type": "date" } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "detected_at": { + "type": "date" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "published_at": { + "type": "date" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "under_evaluation": { + "type": "boolean" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "codec": "best_compression", - "number_of_replicas": "0", - "number_of_shards": "1", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "package.architecture", - "package.category", - "package.description", - "package.installed", - "package.multiarch", - "package.name", - "package.path", - "package.priority", - "package.size", - "package.source", - "package.type", - "package.vendor", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "state.modified_at", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - } } } diff --git a/plugins/setup/src/main/resources/templates/statistics.json b/plugins/setup/src/main/resources/templates/statistics.json index dc81789a..dc72c690 100644 --- a/plugins/setup/src/main/resources/templates/statistics.json +++ b/plugins/setup/src/main/resources/templates/statistics.json @@ -1,254 +1,256 @@ { - "order": 1, "index_patterns": [ "wazuh-statistics*" ], - "settings": { - "index": { - "number_of_replicas": "0", - "number_of_shards": "1", - "refresh_interval": "5s" - } - }, - "mappings" : { - "dynamic_templates" : [ - { - "string_as_keyword" : { - "match_mapping_type" : "string", - "mapping" : { - "type" : "keyword" - } - } + "priority": 1, + "template": { + "settings": { + "index": { + "number_of_replicas": "0", + "number_of_shards": "1", + "refresh_interval": "5s" } - ], - "properties" : { - "analysisd" : { - "properties" : { - "alerts_queue_size" : { - "type" : "long" - }, - "alerts_queue_usage" : { - "type" : "long" - }, - "alerts_written" : { - "type" : "long" - }, - "archives_queue_size" : { - "type" : "long" - }, - "archives_queue_usage" : { - "type" : "long" - }, - "dbsync_mdps" : { - "type" : "long" - }, - "dbsync_messages_dispatched" : { - "type" : "long" - }, - "dbsync_queue_size" : { - "type" : "long" - }, - "dbsync_queue_usage" : { - "type" : "long" - }, - "event_queue_size" : { - "type" : "long" - }, - "event_queue_usage" : { - "type" : "long" - }, - "events_dropped" : { - "type" : "long" - }, - "events_edps" : { - "type" : "long" - }, - "events_processed" : { - "type" : "long" - }, - "events_received" : { - "type" : "long" - }, - "firewall_queue_size" : { - "type" : "long" - }, - "firewall_queue_usage" : { - "type" : "long" - }, - "firewall_written" : { - "type" : "long" - }, - "fts_written" : { - "type" : "long" - }, - "hostinfo_edps" : { - "type" : "long" - }, - "hostinfo_events_decoded" : { - "type" : "long" - }, - "hostinfo_queue_size" : { - "type" : "long" - }, - "hostinfo_queue_usage" : { - "type" : "long" - }, - "other_events_decoded" : { - "type" : "long" - }, - "other_events_edps" : { - "type" : "long" - }, - "rootcheck_edps" : { - "type" : "long" - }, - "rootcheck_events_decoded" : { - "type" : "long" - }, - "rootcheck_queue_size" : { - "type" : "long" - }, - "rootcheck_queue_usage" : { - "type" : "long" - }, - "rule_matching_queue_size" : { - "type" : "long" - }, - "rule_matching_queue_usage" : { - "type" : "long" - }, - "sca_edps" : { - "type" : "long" - }, - "sca_events_decoded" : { - "type" : "long" - }, - "sca_queue_size" : { - "type" : "long" - }, - "sca_queue_usage" : { - "type" : "long" - }, - "statistical_queue_size" : { - "type" : "long" - }, - "statistical_queue_usage" : { - "type" : "long" - }, - "syscheck_edps" : { - "type" : "long" - }, - "syscheck_events_decoded" : { - "type" : "long" - }, - "syscheck_queue_size" : { - "type" : "long" - }, - "syscheck_queue_usage" : { - "type" : "long" - }, - "syscollector_edps" : { - "type" : "long" - }, - "syscollector_events_decoded" : { - "type" : "long" - }, - "syscollector_queue_size" : { - "type" : "long" - }, - "syscollector_queue_usage" : { - "type" : "long" - }, - "total_events_decoded" : { - "type" : "long" - }, - "upgrade_queue_size" : { - "type" : "long" - }, - "upgrade_queue_usage" : { - "type" : "long" - }, - "winevt_edps" : { - "type" : "long" - }, - "winevt_events_decoded" : { - "type" : "long" - }, - "winevt_queue_size" : { - "type" : "long" - }, - "winevt_queue_usage" : { - "type" : "long" + }, + "mappings" : { + "dynamic_templates" : [ + { + "string_as_keyword" : { + "match_mapping_type" : "string", + "mapping" : { + "type" : "keyword" + } } } - }, - "apiName" : { - "type" : "text", - "fields" : { - "keyword" : { - "type" : "keyword", - "ignore_above" : 256 + ], + "properties" : { + "analysisd" : { + "properties" : { + "alerts_queue_size" : { + "type" : "long" + }, + "alerts_queue_usage" : { + "type" : "long" + }, + "alerts_written" : { + "type" : "long" + }, + "archives_queue_size" : { + "type" : "long" + }, + "archives_queue_usage" : { + "type" : "long" + }, + "dbsync_mdps" : { + "type" : "long" + }, + "dbsync_messages_dispatched" : { + "type" : "long" + }, + "dbsync_queue_size" : { + "type" : "long" + }, + "dbsync_queue_usage" : { + "type" : "long" + }, + "event_queue_size" : { + "type" : "long" + }, + "event_queue_usage" : { + "type" : "long" + }, + "events_dropped" : { + "type" : "long" + }, + "events_edps" : { + "type" : "long" + }, + "events_processed" : { + "type" : "long" + }, + "events_received" : { + "type" : "long" + }, + "firewall_queue_size" : { + "type" : "long" + }, + "firewall_queue_usage" : { + "type" : "long" + }, + "firewall_written" : { + "type" : "long" + }, + "fts_written" : { + "type" : "long" + }, + "hostinfo_edps" : { + "type" : "long" + }, + "hostinfo_events_decoded" : { + "type" : "long" + }, + "hostinfo_queue_size" : { + "type" : "long" + }, + "hostinfo_queue_usage" : { + "type" : "long" + }, + "other_events_decoded" : { + "type" : "long" + }, + "other_events_edps" : { + "type" : "long" + }, + "rootcheck_edps" : { + "type" : "long" + }, + "rootcheck_events_decoded" : { + "type" : "long" + }, + "rootcheck_queue_size" : { + "type" : "long" + }, + "rootcheck_queue_usage" : { + "type" : "long" + }, + "rule_matching_queue_size" : { + "type" : "long" + }, + "rule_matching_queue_usage" : { + "type" : "long" + }, + "sca_edps" : { + "type" : "long" + }, + "sca_events_decoded" : { + "type" : "long" + }, + "sca_queue_size" : { + "type" : "long" + }, + "sca_queue_usage" : { + "type" : "long" + }, + "statistical_queue_size" : { + "type" : "long" + }, + "statistical_queue_usage" : { + "type" : "long" + }, + "syscheck_edps" : { + "type" : "long" + }, + "syscheck_events_decoded" : { + "type" : "long" + }, + "syscheck_queue_size" : { + "type" : "long" + }, + "syscheck_queue_usage" : { + "type" : "long" + }, + "syscollector_edps" : { + "type" : "long" + }, + "syscollector_events_decoded" : { + "type" : "long" + }, + "syscollector_queue_size" : { + "type" : "long" + }, + "syscollector_queue_usage" : { + "type" : "long" + }, + "total_events_decoded" : { + "type" : "long" + }, + "upgrade_queue_size" : { + "type" : "long" + }, + "upgrade_queue_usage" : { + "type" : "long" + }, + "winevt_edps" : { + "type" : "long" + }, + "winevt_events_decoded" : { + "type" : "long" + }, + "winevt_queue_size" : { + "type" : "long" + }, + "winevt_queue_usage" : { + "type" : "long" + } } - } - }, - "cluster" : { - "type" : "text", - "fields" : { - "keyword" : { - "type" : "keyword", - "ignore_above" : 256 + }, + "apiName" : { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword", + "ignore_above" : 256 + } } - } - }, - "nodeName" : { - "type" : "text", - "fields" : { - "keyword" : { - "type" : "keyword", - "ignore_above" : 256 + }, + "cluster" : { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword", + "ignore_above" : 256 + } } - } - }, - "name" : { - "type" : "keyword" - }, - "remoted" : { - "properties" : { - "ctrl_msg_count" : { - "type" : "long" - }, - "dequeued_after_close" : { - "type" : "long" - }, - "discarded_count" : { - "type" : "long" - }, - "evt_count" : { - "type" : "long" - }, - "msg_sent" : { - "type" : "long" - }, - "queue_size" : { - "type" : "keyword" - }, - "recv_bytes" : { - "type" : "long" - }, - "tcp_sessions" : { - "type" : "long" - }, - "total_queue_size" : { - "type" : "long" + }, + "nodeName" : { + "type" : "text", + "fields" : { + "keyword" : { + "type" : "keyword", + "ignore_above" : 256 + } } + }, + "name" : { + "type" : "keyword" + }, + "remoted" : { + "properties" : { + "ctrl_msg_count" : { + "type" : "long" + }, + "dequeued_after_close" : { + "type" : "long" + }, + "discarded_count" : { + "type" : "long" + }, + "evt_count" : { + "type" : "long" + }, + "msg_sent" : { + "type" : "long" + }, + "queue_size" : { + "type" : "keyword" + }, + "recv_bytes" : { + "type" : "long" + }, + "tcp_sessions" : { + "type" : "long" + }, + "total_queue_size" : { + "type" : "long" + } + } + }, + "status" : { + "type" : "keyword" + }, + "timestamp" : { + "type" : "date", + "format" : "dateOptionalTime" } - }, - "status" : { - "type" : "keyword" - }, - "timestamp" : { - "type" : "date", - "format" : "dateOptionalTime" } } } diff --git a/plugins/setup/src/main/resources/templates/streams/access-management.json b/plugins/setup/src/main/resources/templates/streams/access-management.json index 972ae5e6..b5fafeea 100644 --- a/plugins/setup/src/main/resources/templates/streams/access-management.json +++ b/plugins/setup/src/main/resources/templates/streams/access-management.json @@ -1,8300 +1,8303 @@ { "index_patterns": [ - "wazuh-events-v5-access-management-*" + "wazuh-events-v5-access-management*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-access-management" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "write": { + "properties": { + "bytes": { + "type": "long" + } } } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" } } } }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "role": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 2500, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-access-management" } } diff --git a/plugins/setup/src/main/resources/templates/streams/alerts.json b/plugins/setup/src/main/resources/templates/streams/alerts.json index 67aa0abe..3faca699 100644 --- a/plugins/setup/src/main/resources/templates/streams/alerts.json +++ b/plugins/setup/src/main/resources/templates/streams/alerts.json @@ -1,8334 +1,8337 @@ { "index_patterns": [ - "wazuh-alerts-v5-*" + "wazuh-alerts-v5*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-alerts-v5" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "type": "object" } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "role": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 2500, - "plugins.index_state_management.rollover_alias": "wazuh-alerts-v5" } } diff --git a/plugins/setup/src/main/resources/templates/streams/applications.json b/plugins/setup/src/main/resources/templates/streams/applications.json index d8019551..4befc84b 100644 --- a/plugins/setup/src/main/resources/templates/streams/applications.json +++ b/plugins/setup/src/main/resources/templates/streams/applications.json @@ -1,10333 +1,10336 @@ { "index_patterns": [ - "wazuh-events-v5-applications-*" + "wazuh-events-v5-applications*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 3000, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-applications" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "apache_tomcat": { - "properties": { - "access": { - "properties": { - "connection_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "ident": { - "ignore_above": 1024, - "type": "keyword" - }, - "useragent": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "properties": { - "local": { - "type": "ip" - } - } - }, - "request_process_time": { - "type": "double" - }, - "response_time": { - "type": "double" - } - } - }, - "cache": { - "properties": { - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "hit": { - "properties": { - "count": { - "type": "double" - } - } - }, - "lookup": { - "properties": { - "count": { - "type": "double" - } - } - }, - "object": { - "properties": { - "size": { - "properties": { - "max": { - "properties": { - "kb": { - "type": "double" - } + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" } } } } - } - }, - "size": { - "properties": { - "current": { - "properties": { - "kb": { - "type": "double" - } - } - }, - "max": { - "properties": { - "kb": { - "type": "double" - } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "ttl": { - "properties": { - "ms": { - "type": "double" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "catalina": { - "properties": { - "subsystem": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "connection_pool": { - "properties": { - "access_to_underlying_connection_allowed": { - "type": "boolean" - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cache": { - "properties": { - "state": { - "type": "long" - } - } - }, - "connection": { - "properties": { - "abandoned_usage_tracking": { - "type": "boolean" - }, - "active": { - "properties": { - "count": { - "type": "long" - } - } - }, - "autocommit_on_return": { - "type": "boolean" - }, - "clear_statement_pool_on_return": { - "type": "boolean" - }, - "closed": { - "type": "boolean" - }, - "database": { - "properties": { - "time": { - "properties": { - "max": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - } - } - }, - "default_transaction_isolation": { - "type": "long" - }, - "enable_autocommit_on_return": { - "type": "boolean" - }, - "fast_fail_validation": { - "type": "boolean" - }, - "idle": { - "properties": { - "count": { - "type": "long" - }, - "exists": { - "type": "boolean" - }, - "max": { - "properties": { - "count": { - "type": "long" - }, - "size": { - "type": "long" - }, - "time": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - }, - "min": { - "properties": { - "size": { - "type": "long" - }, - "time": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - } - } - }, - "initial_size": { - "properties": { - "count": { - "type": "long" - } - } - }, - "lifetime": { - "properties": { - "max": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - }, - "log_expired": { - "type": "boolean" - }, - "min_evictable_idle": { - "properties": { - "time": { - "type": "long" - } - } - }, - "remove_abandoned_on_borrow": { - "type": "boolean" - }, - "remove_abandoned_on_maintenance": { - "type": "boolean" - }, - "remove_abandoned_timeout": { - "type": "long" - }, - "rollback_on_return": { - "type": "boolean" - }, - "test_on_return": { - "type": "boolean" - }, - "test_while_idle": { - "type": "boolean" - }, - "time_between_eviction_run": { - "properties": { - "time": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - }, - "validate": { - "type": "long" - } - } - }, - "lifo": { - "type": "boolean" - }, - "max": { - "properties": { - "total": { - "type": "long" - } - } - }, - "prepared_statements": { - "type": "boolean" - }, - "test_on_borrow": { - "type": "boolean" - }, - "test_on_create": { - "type": "boolean" - } - } - }, - "localhost": { - "properties": { - "subsystem": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "memory": { - "properties": { - "doc_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "gc": { - "properties": { - "collection": { - "properties": { - "count": { - "type": "long" - }, - "time": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - }, - "valid": { - "type": "long" - } - } - }, - "heap": { - "properties": { - "committed": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "init": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "max": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "used": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "non_heap": { - "properties": { - "committed": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "init": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "max": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "used": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "object_pending_finalization": { - "properties": { - "count": { - "type": "long" - } - } - }, - "verbose": { - "type": "boolean" - } - } - }, - "request": { - "properties": { - "count": { - "type": "long" - }, - "error": { - "properties": { - "count": { - "type": "long" - } - } - }, - "nio_connector": { - "ignore_above": 1024, - "type": "keyword" - }, - "received": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "sent": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "time": { - "properties": { - "max": { - "type": "long" - }, - "total": { - "type": "long" - } - } - } - } - }, - "session": { - "properties": { - "active": { - "properties": { - "allowed": { - "properties": { - "max": { - "type": "long" - } - } - }, - "max": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "alive_time": { - "properties": { - "avg": { - "type": "long" - }, - "max": { - "type": "long" - } - } - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "create": { - "properties": { - "rate": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "duplicate_ids": { - "properties": { - "count": { - "type": "long" - } - } - }, - "expire": { - "properties": { - "rate": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "persist_authentication": { - "type": "boolean" - }, - "process_expires_frequency": { - "properties": { - "count": { - "type": "long" - } - } - }, - "processing_time": { - "type": "long" - }, - "rejected": { - "properties": { - "count": { - "type": "long" - } - } - }, - "warn_on_session_attribute_filter_failure": { - "type": "boolean" - } - } - }, - "thread_pool": { - "properties": { - "connection": { - "properties": { - "count": { - "type": "long" - }, - "linger": { - "type": "long" - }, - "max": { - "type": "long" - }, - "timeout": { - "type": "long" - } - } - }, - "contention": { - "properties": { - "monitoring_enabled": { - "type": "boolean" - } - } - }, - "executor_termination": { - "properties": { - "timeout": { - "properties": { - "ms": { - "type": "long" - } - } - } - } - }, - "initiated_connector": { - "properties": { - "state": { - "type": "boolean" - } - } - }, - "keep_alive": { - "properties": { - "count": { - "type": "long" - }, - "max_requests": { - "type": "long" - }, - "timeout": { - "type": "long" - } - } - }, - "nio_connector": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_enabled": { - "type": "boolean" - }, - "tcp_no_delay": { - "type": "boolean" - }, - "thread": { - "properties": { - "accept": { - "properties": { - "count": { - "type": "long" - } - } - }, - "active": { - "properties": { - "count": { - "type": "long" - } - } - }, - "allocated_memory": { - "properties": { - "enabled": { - "type": "boolean" - }, - "supported": { - "type": "boolean" - } - } - }, - "current": { - "properties": { - "allocated": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "busy": { - "type": "long" - }, - "count": { - "type": "long" - }, - "cpu": { - "properties": { - "time": { - "properties": { - "enabled": { - "type": "boolean" - }, - "ms": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "user": { - "properties": { - "time": { - "properties": { - "ms": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "daemon": { - "properties": { - "count": { - "type": "long" - }, - "status": { - "type": "boolean" - } - } - }, - "paused": { - "type": "boolean" - }, - "peak": { - "properties": { - "count": { - "type": "long" - } - } - }, - "port": { - "properties": { - "default": { - "type": "long" - }, - "offset": { - "type": "long" - }, - "value": { - "type": "long" - }, - "with_offset": { - "type": "long" - } - } - }, - "priority": { - "properties": { - "acceptor": { - "type": "long" - }, - "count": { - "type": "long" - }, - "poller": { - "type": "long" - } - } - }, - "requests": { - "properties": { - "max": { - "type": "long" - } - } - }, - "running": { - "properties": { - "min": { - "type": "long" - }, - "value": { - "type": "boolean" - } - } - }, - "selector": { - "properties": { - "timeout": { - "type": "long" - } - } - }, - "sni_parse_limit": { - "type": "long" - }, - "supported": { - "properties": { - "contention_monitoring": { - "type": "boolean" - }, - "cpu": { - "properties": { - "current": { - "properties": { - "time": { - "type": "boolean" - } - } - } - } - }, - "usage": { - "properties": { - "object_monitor": { - "type": "boolean" - }, - "synchronizer": { - "type": "boolean" - } - } - } - } - }, - "total": { - "type": "long" - } - } - }, - "use_inherited_channel": { - "type": "boolean" - }, - "use_send_file": { - "type": "boolean" - } - } - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "apache_tomcat": { + "properties": { + "access": { + "properties": { + "connection_status": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + "http": { + "properties": { + "ident": { + "ignore_above": 1024, + "type": "keyword" + }, + "useragent": { + "ignore_above": 1024, + "type": "keyword" } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" } + }, + "ip": { + "properties": { + "local": { + "type": "ip" + } + } + }, + "request_process_time": { + "type": "double" + }, + "response_time": { + "type": "double" } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "cache": { + "properties": { + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "hit": { + "properties": { + "count": { + "type": "double" + } } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "lookup": { + "properties": { + "count": { + "type": "double" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "iis": { - "properties": { - "bytes_received_by_client": { - "type": "long" - }, - "bytes_sent_by_server": { - "type": "long" - }, - "sub_status": { - "type": "long" - }, - "win32_status": { - "type": "long" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "object": { + "properties": { + "size": { + "properties": { + "max": { + "properties": { + "kb": { + "type": "double" } } } } } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "oracle": { - "properties": { - "weblogic": { - "properties": { - "diagnostic_context_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "meta": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subsystem": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "size": { + "properties": { + "current": { + "properties": { + "kb": { + "type": "double" + } } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" - } - }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "springboot": { - "properties": { - "gc": { - "properties": { - "last_info": { - "properties": { - "memory_usage": { - "properties": { - "after": { - "properties": { - "code_cache": { - "type": "object" - }, - "compressed_class_space": { - "type": "object" - }, - "g1_eden_space": { - "type": "object" - }, - "g1_old_gen": { - "type": "object" - }, - "g1_survivor_space": { - "type": "object" - }, - "metaspace": { - "type": "object" - }, - "ps_eden_space": { - "type": "object" - }, - "ps_old_gen": { - "type": "object" - }, - "ps_survivor_space": { - "type": "object" - } - }, - "type": "object" - }, - "before": { - "properties": { - "code_cache": { - "type": "object" - }, - "compressed_class_space": { - "type": "object" - }, - "g1_eden_space": { - "type": "object" - }, - "g1_old_gen": { - "type": "object" - }, - "g1_survivor_space": { - "type": "object" - }, - "metaspace": { - "type": "object" - }, - "ps_eden_space": { - "type": "object" - }, - "ps_old_gen": { - "type": "object" - }, - "ps_survivor_space": { - "type": "object" - } - }, - "type": "object" - } - } - }, - "time": { - "properties": { - "duration": { - "type": "long" - }, - "end": { - "type": "long" - }, - "start": { - "type": "long" - } - } - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http_trace": { - "properties": { - "principal": { - "ignore_above": 1024, - "type": "keyword" - }, - "session": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "squid": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "peerstatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "max": { + "properties": { + "kb": { + "type": "double" } } } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "ttl": { + "properties": { + "ms": { + "type": "double" } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + } + } + } + }, + "catalina": { + "properties": { + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "connection_pool": { + "properties": { + "access_to_underlying_connection_allowed": { + "type": "boolean" + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache": { + "properties": { + "state": { + "type": "long" + } + } + }, + "connection": { + "properties": { + "abandoned_usage_tracking": { + "type": "boolean" + }, + "active": { + "properties": { + "count": { + "type": "long" } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "autocommit_on_return": { + "type": "boolean" + }, + "clear_statement_pool_on_return": { + "type": "boolean" + }, + "closed": { + "type": "boolean" + }, + "database": { + "properties": { + "time": { + "properties": { + "max": { + "properties": { + "ms": { + "type": "long" + } } } + } + } + } + }, + "default_transaction_isolation": { + "type": "long" + }, + "enable_autocommit_on_return": { + "type": "boolean" + }, + "fast_fail_validation": { + "type": "boolean" + }, + "idle": { + "properties": { + "count": { + "type": "long" + }, + "exists": { + "type": "boolean" + }, + "max": { + "properties": { + "count": { + "type": "long" + }, + "size": { + "type": "long" + }, + "time": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + }, + "min": { + "properties": { + "size": { + "type": "long" + }, + "time": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + } + } + }, + "initial_size": { + "properties": { + "count": { + "type": "long" + } + } + }, + "lifetime": { + "properties": { + "max": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + }, + "log_expired": { + "type": "boolean" + }, + "min_evictable_idle": { + "properties": { + "time": { + "type": "long" + } + } + }, + "remove_abandoned_on_borrow": { + "type": "boolean" + }, + "remove_abandoned_on_maintenance": { + "type": "boolean" + }, + "remove_abandoned_timeout": { + "type": "long" + }, + "rollback_on_return": { + "type": "boolean" + }, + "test_on_return": { + "type": "boolean" + }, + "test_while_idle": { + "type": "boolean" + }, + "time_between_eviction_run": { + "properties": { + "time": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + }, + "validate": { + "type": "long" + } + } + }, + "lifo": { + "type": "boolean" + }, + "max": { + "properties": { + "total": { + "type": "long" + } + } + }, + "prepared_statements": { + "type": "boolean" + }, + "test_on_borrow": { + "type": "boolean" + }, + "test_on_create": { + "type": "boolean" + } + } + }, + "localhost": { + "properties": { + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "memory": { + "properties": { + "doc_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "gc": { + "properties": { + "collection": { + "properties": { + "count": { + "type": "long" + }, + "time": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + }, + "valid": { + "type": "long" + } + } + }, + "heap": { + "properties": { + "committed": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "init": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "max": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "used": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "non_heap": { + "properties": { + "committed": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "init": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "max": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "used": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "object_pending_finalization": { + "properties": { + "count": { + "type": "long" + } + } + }, + "verbose": { + "type": "boolean" + } + } + }, + "request": { + "properties": { + "count": { + "type": "long" + }, + "error": { + "properties": { + "count": { + "type": "long" + } + } + }, + "nio_connector": { + "ignore_above": 1024, + "type": "keyword" + }, + "received": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "sent": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "time": { + "properties": { + "max": { + "type": "long" + }, + "total": { + "type": "long" + } + } + } + } + }, + "session": { + "properties": { + "active": { + "properties": { + "allowed": { + "properties": { + "max": { + "type": "long" + } + } + }, + "max": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "alive_time": { + "properties": { + "avg": { + "type": "long" + }, + "max": { + "type": "long" + } + } + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "create": { + "properties": { + "rate": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "duplicate_ids": { + "properties": { + "count": { + "type": "long" + } + } + }, + "expire": { + "properties": { + "rate": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "persist_authentication": { + "type": "boolean" + }, + "process_expires_frequency": { + "properties": { + "count": { + "type": "long" + } + } + }, + "processing_time": { + "type": "long" + }, + "rejected": { + "properties": { + "count": { + "type": "long" + } + } + }, + "warn_on_session_attribute_filter_failure": { + "type": "boolean" + } + } + }, + "thread_pool": { + "properties": { + "connection": { + "properties": { + "count": { + "type": "long" + }, + "linger": { + "type": "long" + }, + "max": { + "type": "long" + }, + "timeout": { + "type": "long" + } + } + }, + "contention": { + "properties": { + "monitoring_enabled": { + "type": "boolean" + } + } + }, + "executor_termination": { + "properties": { + "timeout": { + "properties": { + "ms": { + "type": "long" + } + } + } + } + }, + "initiated_connector": { + "properties": { + "state": { + "type": "boolean" + } + } + }, + "keep_alive": { + "properties": { + "count": { + "type": "long" + }, + "max_requests": { + "type": "long" + }, + "timeout": { + "type": "long" + } + } + }, + "nio_connector": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_enabled": { + "type": "boolean" + }, + "tcp_no_delay": { + "type": "boolean" + }, + "thread": { + "properties": { + "accept": { + "properties": { + "count": { + "type": "long" + } + } + }, + "active": { + "properties": { + "count": { + "type": "long" + } + } + }, + "allocated_memory": { + "properties": { + "enabled": { + "type": "boolean" + }, + "supported": { + "type": "boolean" + } + } + }, + "current": { + "properties": { + "allocated": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "busy": { + "type": "long" + }, + "count": { + "type": "long" + }, + "cpu": { + "properties": { + "time": { + "properties": { + "enabled": { + "type": "boolean" + }, + "ms": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user": { + "properties": { + "time": { + "properties": { + "ms": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "daemon": { + "properties": { + "count": { + "type": "long" + }, + "status": { + "type": "boolean" + } + } + }, + "paused": { + "type": "boolean" + }, + "peak": { + "properties": { + "count": { + "type": "long" + } + } + }, + "port": { + "properties": { + "default": { + "type": "long" + }, + "offset": { + "type": "long" + }, + "value": { + "type": "long" + }, + "with_offset": { + "type": "long" + } + } + }, + "priority": { + "properties": { + "acceptor": { + "type": "long" + }, + "count": { + "type": "long" + }, + "poller": { + "type": "long" + } + } + }, + "requests": { + "properties": { + "max": { + "type": "long" + } + } + }, + "running": { + "properties": { + "min": { + "type": "long" + }, + "value": { + "type": "boolean" + } + } + }, + "selector": { + "properties": { + "timeout": { + "type": "long" + } + } + }, + "sni_parse_limit": { + "type": "long" + }, + "supported": { + "properties": { + "contention_monitoring": { + "type": "boolean" + }, + "cpu": { + "properties": { + "current": { + "properties": { + "time": { + "type": "boolean" + } + } + } + } + }, + "usage": { + "properties": { + "object_monitor": { + "type": "boolean" + }, + "synchronizer": { + "type": "boolean" + } + } + } + } + }, + "total": { + "type": "long" + } + } + }, + "use_inherited_channel": { + "type": "boolean" + }, + "use_send_file": { + "type": "boolean" + } + } + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iis": { + "properties": { + "bytes_received_by_client": { + "type": "long" + }, + "bytes_sent_by_server": { + "type": "long" + }, + "sub_status": { + "type": "long" + }, + "win32_status": { + "type": "long" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "oracle": { + "properties": { + "weblogic": { + "properties": { + "diagnostic_context_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "meta": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "springboot": { + "properties": { + "gc": { + "properties": { + "last_info": { + "properties": { + "memory_usage": { + "properties": { + "after": { + "properties": { + "code_cache": { + "type": "object" + }, + "compressed_class_space": { + "type": "object" + }, + "g1_eden_space": { + "type": "object" + }, + "g1_old_gen": { + "type": "object" + }, + "g1_survivor_space": { + "type": "object" + }, + "metaspace": { + "type": "object" + }, + "ps_eden_space": { + "type": "object" + }, + "ps_old_gen": { + "type": "object" + }, + "ps_survivor_space": { + "type": "object" + } }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "before": { + "properties": { + "code_cache": { + "type": "object" + }, + "compressed_class_space": { + "type": "object" + }, + "g1_eden_space": { + "type": "object" + }, + "g1_old_gen": { + "type": "object" + }, + "g1_survivor_space": { + "type": "object" + }, + "metaspace": { + "type": "object" + }, + "ps_eden_space": { + "type": "object" + }, + "ps_old_gen": { + "type": "object" + }, + "ps_survivor_space": { + "type": "object" + } }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "type": "object" + } + } + }, + "time": { + "properties": { + "duration": { + "type": "long" + }, + "end": { + "type": "long" + }, + "start": { + "type": "long" + } + } + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http_trace": { + "properties": { + "principal": { + "ignore_above": 1024, + "type": "keyword" + }, + "session": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "squid": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "peerstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "version_number": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + } + } + }, + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } } }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } } } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "country": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" } } } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" - } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "websphere": { - "properties": { - "metrics": { - "properties": { - "alarm_manager": { - "properties": { - "cancelled": { - "properties": { - "total": { - "type": "long" - } - } - }, - "create": { - "properties": { - "total": { - "type": "long" - } - } - }, - "fired": { - "properties": { - "total": { - "type": "long" - } - } - }, - "latency_seconds": { - "type": "long" - }, - "pending_alarms": { - "type": "long" - } - } - }, - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication": { - "properties": { - "assertion_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentications": { - "properties": { - "total": { - "type": "long" - } - } - }, - "credential_creation": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } + }, + "websphere": { + "properties": { + "metrics": { + "properties": { + "alarm_manager": { + "properties": { + "cancelled": { + "properties": { + "total": { + "type": "long" } } - } - }, - "credential_creations": { - "properties": { - "total": { - "type": "long" - } - } - }, - "identity_assertion": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } + }, + "create": { + "properties": { + "total": { + "type": "long" } } - } - }, - "identity_assertions": { - "properties": { - "total": { - "type": "long" - } - } - }, - "tai_request": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } + }, + "fired": { + "properties": { + "total": { + "type": "long" } } - } - }, - "tai_requests": { - "properties": { - "total": { - "type": "long" - } - } - }, - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "authorization": { - "properties": { - "authorization_time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "authorizations": { - "properties": { - "total": { - "type": "long" - } + }, + "latency_seconds": { + "type": "long" + }, + "pending_alarms": { + "type": "long" } } - } - }, - "cacheobject": { - "ignore_above": 1024, - "type": "keyword" - }, - "dynamic_caching": { - "properties": { - "cache_entries": { - "type": "long" - }, - "distributed_requests": { - "properties": { - "total": { - "type": "long" - } - } - }, - "explicit_invalidate": { - "properties": { - "total": { - "type": "long" - } - } - }, - "hit": { - "properties": { - "total": { - "type": "long" - } - } - }, - "in_memory_and_disk_cache_entries": { - "properties": { - "total": { - "type": "long" - } - } - }, - "invalidate": { - "properties": { - "total": { - "type": "long" - } - } - }, - "miss": { - "properties": { - "total": { - "type": "long" - } - } - }, - "remote_create": { - "properties": { - "total": { - "type": "long" - } - } - }, - "remote_hit": { - "properties": { - "total": { - "type": "long" - } - } - }, - "requests": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "extension_registry": { - "properties": { - "displacement": { - "properties": { - "total": { - "type": "long" - } - } - }, - "hit": { - "properties": { - "total": { - "type": "long" - } - } - }, - "requests": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "ha_manager": { - "properties": { - "bulletin_board_rebuild": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "bulletin_board_subjects": { - "type": "long" - }, - "bulletin_board_subscriptions": { - "type": "long" - }, - "group_state_rebuild": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "local": { - "properties": { - "bulletin_board_subjects": { - "type": "long" - }, - "bulletin_board_subscriptions": { - "type": "long" - }, - "groups": { - "type": "long" - } - } - } - } - }, - "hitstype": { - "ignore_above": 1024, - "type": "keyword" - }, - "interceptor": { - "ignore_above": 1024, - "type": "keyword" - }, - "jax_ws": { - "properties": { - "dispatch": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "payloads": { - "properties": { - "bytes": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "reply": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "request": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } + }, + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication": { + "properties": { + "assertion_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentications": { + "properties": { + "total": { + "type": "long" } } - } - }, - "requests": { - "properties": { - "total": { - "type": "long" - } - } - }, - "requests_dispatched": { - "properties": { - "total": { - "type": "long" - } - } - }, - "requests_received": { - "properties": { - "total": { - "type": "long" - } - } - }, - "requests_successful": { - "properties": { - "total": { - "type": "long" - } - } - }, - "response": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "responses": { - "properties": { - "total": { - "type": "long" - } - } - }, - "services_loaded": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "jdbc": { - "properties": { - "connection": { - "properties": { - "allocated": { - "type": "long" - }, - "closed": { - "type": "long" - }, - "connection_handles": { - "type": "long" - }, - "created": { - "type": "long" - }, - "fault": { - "properties": { - "total": { - "type": "long" - } - } - }, - "free": { - "type": "long" - }, - "handles": { - "type": "long" - }, - "jdbc_operation_time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "jdbc_operations": { - "properties": { - "total": { - "type": "long" - } - } - }, - "managed": { - "type": "long" - }, - "managed_connections": { - "type": "long" - }, - "prep_stmt_cache_discard": { - "properties": { - "total": { - "type": "long" - } - } - }, - "returned": { - "type": "long" - }, - "total": { - "properties": { - "in_use": { - "type": "long" - }, - "operations_calls": { - "type": "long" - }, - "operations_seconds": { - "type": "long" - }, - "seconds_in_use": { - "type": "long" - }, - "wait": { - "type": "long" - }, - "wait_seconds": { - "type": "long" - } - } - }, - "waiting_threads": { - "type": "long" - } - } - }, - "data_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "percent_used": { - "type": "long" - }, - "pool_size": { - "type": "long" - }, - "total_cache_discarded": { - "type": "long" - } - } - }, - "jvm": { - "properties": { - "memory": { - "properties": { - "area": { - "ignore_above": 1024, - "type": "keyword" - }, - "committed_bytes": { - "type": "long" - }, - "max_bytes": { - "type": "long" - }, - "used_bytes": { - "type": "long" - } - } - } - } - }, - "object_pool": { - "properties": { - "allocate": { - "properties": { - "total": { - "type": "long" - } - } - }, - "create": { - "properties": { - "total": { - "type": "long" - } - } - }, - "idle_objects": { - "type": "long" - }, - "return": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "objectpool": { - "ignore_above": 1024, - "type": "keyword" - }, - "orb": { - "properties": { - "concurrent_requests": { - "type": "long" - }, - "lookup": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "processing": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total": { - "type": "long" - } - } - }, - "requests": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "portlet": { - "properties": { - "concurrent_requests": { - "type": "long" - }, - "errors": { - "properties": { - "total": { - "type": "long" - } - } - }, - "requests": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "process": { - "properties": { - "cpu_utilization": { - "type": "long" - }, - "uptime_seconds": { - "type": "long" - } - } - }, - "scrape": { - "properties": { - "duration_seconds": { - "type": "long" - } - } - }, - "servlet": { - "properties": { - "app_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "async_context": { - "properties": { - "response_time_seconds": { - "type": "long" - }, - "responses": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "errors": { - "type": "long" - }, - "loaded": { - "type": "long" - }, - "reloaded": { - "type": "long" - }, - "requests": { - "properties": { - "concurrent": { - "type": "long" - }, - "processed": { - "type": "long" - } - } - }, - "response_time_seconds": { - "type": "long" - }, - "responses": { - "properties": { - "processed": { - "type": "long" - } - } - }, - "uri": { - "properties": { - "async_context": { - "properties": { - "response_time_seconds": { - "type": "long" - }, - "responses": { - "properties": { - "total": { - "type": "long" - } + }, + "credential_creation": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" } } } - }, - "requests": { - "properties": { - "concurrent": { - "type": "long" - }, - "total": { - "type": "long" + } + }, + "credential_creations": { + "properties": { + "total": { + "type": "long" + } + } + }, + "identity_assertion": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } } } - }, - "response_time_seconds": { - "type": "long" - }, - "responses": { - "properties": { - "total": { - "type": "long" + } + }, + "identity_assertions": { + "properties": { + "total": { + "type": "long" + } + } + }, + "tai_request": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "tai_requests": { + "properties": { + "total": { + "type": "long" + } + } + }, + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authorization": { + "properties": { + "authorization_time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "authorizations": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "cacheobject": { + "ignore_above": 1024, + "type": "keyword" + }, + "dynamic_caching": { + "properties": { + "cache_entries": { + "type": "long" + }, + "distributed_requests": { + "properties": { + "total": { + "type": "long" + } + } + }, + "explicit_invalidate": { + "properties": { + "total": { + "type": "long" + } + } + }, + "hit": { + "properties": { + "total": { + "type": "long" + } + } + }, + "in_memory_and_disk_cache_entries": { + "properties": { + "total": { + "type": "long" + } + } + }, + "invalidate": { + "properties": { + "total": { + "type": "long" + } + } + }, + "miss": { + "properties": { + "total": { + "type": "long" + } + } + }, + "remote_create": { + "properties": { + "total": { + "type": "long" + } + } + }, + "remote_hit": { + "properties": { + "total": { + "type": "long" + } + } + }, + "requests": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "extension_registry": { + "properties": { + "displacement": { + "properties": { + "total": { + "type": "long" + } + } + }, + "hit": { + "properties": { + "total": { + "type": "long" + } + } + }, + "requests": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "ha_manager": { + "properties": { + "bulletin_board_rebuild": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "bulletin_board_subjects": { + "type": "long" + }, + "bulletin_board_subscriptions": { + "type": "long" + }, + "group_state_rebuild": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "local": { + "properties": { + "bulletin_board_subjects": { + "type": "long" + }, + "bulletin_board_subscriptions": { + "type": "long" + }, + "groups": { + "type": "long" + } + } + } + } + }, + "hitstype": { + "ignore_above": 1024, + "type": "keyword" + }, + "interceptor": { + "ignore_above": 1024, + "type": "keyword" + }, + "jax_ws": { + "properties": { + "dispatch": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "payloads": { + "properties": { + "bytes": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "reply": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "request": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "requests": { + "properties": { + "total": { + "type": "long" + } + } + }, + "requests_dispatched": { + "properties": { + "total": { + "type": "long" + } + } + }, + "requests_received": { + "properties": { + "total": { + "type": "long" + } + } + }, + "requests_successful": { + "properties": { + "total": { + "type": "long" + } + } + }, + "response": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "responses": { + "properties": { + "total": { + "type": "long" + } + } + }, + "services_loaded": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "jdbc": { + "properties": { + "connection": { + "properties": { + "allocated": { + "type": "long" + }, + "closed": { + "type": "long" + }, + "connection_handles": { + "type": "long" + }, + "created": { + "type": "long" + }, + "fault": { + "properties": { + "total": { + "type": "long" + } + } + }, + "free": { + "type": "long" + }, + "handles": { + "type": "long" + }, + "jdbc_operation_time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "jdbc_operations": { + "properties": { + "total": { + "type": "long" + } + } + }, + "managed": { + "type": "long" + }, + "managed_connections": { + "type": "long" + }, + "prep_stmt_cache_discard": { + "properties": { + "total": { + "type": "long" + } + } + }, + "returned": { + "type": "long" + }, + "total": { + "properties": { + "in_use": { + "type": "long" + }, + "operations_calls": { + "type": "long" + }, + "operations_seconds": { + "type": "long" + }, + "seconds_in_use": { + "type": "long" + }, + "wait": { + "type": "long" + }, + "wait_seconds": { + "type": "long" + } + } + }, + "waiting_threads": { + "type": "long" + } + } + }, + "data_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "percent_used": { + "type": "long" + }, + "pool_size": { + "type": "long" + }, + "total_cache_discarded": { + "type": "long" + } + } + }, + "jvm": { + "properties": { + "memory": { + "properties": { + "area": { + "ignore_above": 1024, + "type": "keyword" + }, + "committed_bytes": { + "type": "long" + }, + "max_bytes": { + "type": "long" + }, + "used_bytes": { + "type": "long" + } + } + } + } + }, + "object_pool": { + "properties": { + "allocate": { + "properties": { + "total": { + "type": "long" + } + } + }, + "create": { + "properties": { + "total": { + "type": "long" + } + } + }, + "idle_objects": { + "type": "long" + }, + "return": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "objectpool": { + "ignore_above": 1024, + "type": "keyword" + }, + "orb": { + "properties": { + "concurrent_requests": { + "type": "long" + }, + "lookup": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "processing": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } + } + }, + "requests": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "portlet": { + "properties": { + "concurrent_requests": { + "type": "long" + }, + "errors": { + "properties": { + "total": { + "type": "long" + } + } + }, + "requests": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "process": { + "properties": { + "cpu_utilization": { + "type": "long" + }, + "uptime_seconds": { + "type": "long" + } + } + }, + "scrape": { + "properties": { + "duration_seconds": { + "type": "long" + } + } + }, + "servlet": { + "properties": { + "app_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "async_context": { + "properties": { + "response_time_seconds": { + "type": "long" + }, + "responses": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "errors": { + "type": "long" + }, + "loaded": { + "type": "long" + }, + "reloaded": { + "type": "long" + }, + "requests": { + "properties": { + "concurrent": { + "type": "long" + }, + "processed": { + "type": "long" + } + } + }, + "response_time_seconds": { + "type": "long" + }, + "responses": { + "properties": { + "processed": { + "type": "long" + } + } + }, + "uri": { + "properties": { + "async_context": { + "properties": { + "response_time_seconds": { + "type": "long" + }, + "responses": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "requests": { + "properties": { + "concurrent": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "response_time_seconds": { + "type": "long" + }, + "responses": { + "properties": { + "total": { + "type": "long" + } } } } } } - } - }, - "session": { - "properties": { - "activated": { - "properties": { - "total": { - "type": "long" - } - } - }, - "finished": { - "properties": { - "total": { - "type": "long" - } - } - }, - "session_objects": { - "properties": { - "bytes": { - "properties": { - "total": { - "type": "long" - } + }, + "session": { + "properties": { + "activated": { + "properties": { + "total": { + "type": "long" + } + } + }, + "finished": { + "properties": { + "total": { + "type": "long" + } + } + }, + "session_objects": { + "properties": { + "bytes": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" } - }, - "total": { - "type": "long" } } } - } - }, - "session_manager": { - "properties": { - "activated_non_existent_sessions": { - "type": "long" - }, - "affinity_breaks": { - "type": "long" - }, - "cache_discarded": { - "type": "long" - }, - "external": { - "properties": { - "bytes": { - "properties": { - "read": { - "type": "long" - }, - "written": { - "type": "long" + }, + "session_manager": { + "properties": { + "activated_non_existent_sessions": { + "type": "long" + }, + "affinity_breaks": { + "type": "long" + }, + "cache_discarded": { + "type": "long" + }, + "external": { + "properties": { + "bytes": { + "properties": { + "read": { + "type": "long" + }, + "written": { + "type": "long" + } } - } - }, - "time_seconds": { - "properties": { - "read": { - "type": "long" - }, - "written": { - "type": "long" + }, + "time_seconds": { + "properties": { + "read": { + "type": "long" + }, + "written": { + "type": "long" + } } } } - } - }, - "no_room_for_new_sessions": { - "type": "long" - }, - "persistent_stores": { - "properties": { - "data_read": { - "type": "long" - }, - "data_written": { - "type": "long" - } - } - }, - "sessions": { - "properties": { - "active": { - "type": "long" - }, - "created": { - "type": "long" - }, - "current": { - "type": "long" - }, - "invalidated": { - "properties": { - "by_timeouts": { - "type": "long" - }, - "total": { - "type": "long" - } + }, + "no_room_for_new_sessions": { + "type": "long" + }, + "persistent_stores": { + "properties": { + "data_read": { + "type": "long" + }, + "data_written": { + "type": "long" } - }, - "life_time": { - "type": "long" } + }, + "sessions": { + "properties": { + "active": { + "type": "long" + }, + "created": { + "type": "long" + }, + "current": { + "type": "long" + }, + "invalidated": { + "properties": { + "by_timeouts": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "life_time": { + "type": "long" + } + } + }, + "time_since_session_last_activated": { + "type": "long" } - }, - "time_since_session_last_activated": { - "type": "long" } - } - }, - "system": { - "properties": { - "cpu_utilization": { - "type": "long" - }, - "memory": { - "properties": { - "free_bytes": { - "type": "long" + }, + "system": { + "properties": { + "cpu_utilization": { + "type": "long" + }, + "memory": { + "properties": { + "free_bytes": { + "type": "long" + } } } } - } - }, - "threadpool": { - "properties": { - "active_time_seconds": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "threads": { - "properties": { - "active": { - "type": "long" - }, - "cleared": { - "type": "long" - }, - "stopped": { - "properties": { - "concurrent": { - "type": "long" - }, - "declared": { - "type": "long" + }, + "threadpool": { + "properties": { + "active_time_seconds": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "threads": { + "properties": { + "active": { + "type": "long" + }, + "cleared": { + "type": "long" + }, + "stopped": { + "properties": { + "concurrent": { + "type": "long" + }, + "declared": { + "type": "long" + } } + }, + "total": { + "type": "long" } - }, - "total": { - "type": "long" } - } - }, - "total": { - "properties": { - "active": { - "type": "long" - }, - "created": { - "type": "long" - }, - "destroyed": { - "type": "long" + }, + "total": { + "properties": { + "active": { + "type": "long" + }, + "created": { + "type": "long" + }, + "destroyed": { + "type": "long" + } } } } - } - }, - "transaction_manager": { - "properties": { - "active_transactions": { - "type": "long" - }, - "before_completion": { - "properties": { - "seconds": { - "properties": { - "total": { - "type": "long" + }, + "transaction_manager": { + "properties": { + "active_transactions": { + "type": "long" + }, + "before_completion": { + "properties": { + "seconds": { + "properties": { + "total": { + "type": "long" + } } + }, + "total": { + "type": "long" } - }, - "total": { - "type": "long" } - } - }, - "begun": { - "properties": { - "total": { - "type": "long" + }, + "begun": { + "properties": { + "total": { + "type": "long" + } } - } - }, - "commit": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" + }, + "commit": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } } } } - } - }, - "committed": { - "properties": { - "total": { - "type": "long" - } - } - }, - "global_involved": { - "properties": { - "total": { - "type": "long" - } - } - }, - "global_prepare": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" - } + }, + "committed": { + "properties": { + "total": { + "type": "long" } - }, - "total": { - "type": "long" } - } - }, - "optimization": { - "properties": { - "total": { - "type": "long" + }, + "global_involved": { + "properties": { + "total": { + "type": "long" + } } - } - }, - "rolledback": { - "properties": { - "total": { - "type": "long" + }, + "global_prepare": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total": { + "type": "long" + } } - } - }, - "timedout": { - "properties": { - "total": { - "type": "long" + }, + "optimization": { + "properties": { + "total": { + "type": "long" + } } - } - }, - "transaction": { - "properties": { - "time_seconds": { - "properties": { - "total": { - "type": "long" + }, + "rolledback": { + "properties": { + "total": { + "type": "long" + } + } + }, + "timedout": { + "properties": { + "total": { + "type": "long" + } + } + }, + "transaction": { + "properties": { + "time_seconds": { + "properties": { + "total": { + "type": "long" + } } } } - } - }, - "transactions": { - "properties": { - "total": { - "type": "long" + }, + "transactions": { + "properties": { + "total": { + "type": "long" + } } } } + }, + "transactiontype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "workmanager": { + "ignore_above": 1024, + "type": "keyword" } - }, - "transactiontype": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "workmanager": { - "ignore_above": 1024, - "type": "keyword" } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 3000, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-applications" } } diff --git a/plugins/setup/src/main/resources/templates/streams/archives.json b/plugins/setup/src/main/resources/templates/streams/archives.json index 3333aaf1..6f1c2bc6 100644 --- a/plugins/setup/src/main/resources/templates/streams/archives.json +++ b/plugins/setup/src/main/resources/templates/streams/archives.json @@ -1,8334 +1,8337 @@ { "index_patterns": [ - "wazuh-archives-v5-*" + "wazuh-archives-v5*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-archives-v5" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "type": "object" } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "role": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 2500, - "plugins.index_state_management.rollover_alias": "wazuh-archives-v5" } } diff --git a/plugins/setup/src/main/resources/templates/streams/cloud-services-aws.json b/plugins/setup/src/main/resources/templates/streams/cloud-services-aws.json index 06a123c0..64760f9a 100644 --- a/plugins/setup/src/main/resources/templates/streams/cloud-services-aws.json +++ b/plugins/setup/src/main/resources/templates/streams/cloud-services-aws.json @@ -1,12114 +1,12117 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-aws-*" + "wazuh-events-v5-cloud-services-aws*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 10, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 200, + "mapping.total_fields.limit": 3500, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-aws" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "amazonmq": { - "properties": { - "broker": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "apigateway": { - "properties": { - "api_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "apigateway_api_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_caller": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_domain_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_http_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_request_time": { - "type": "date" - }, - "apigateway_resource_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_response_length": { - "type": "long" - }, - "apigateway_route_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_stage": { - "ignore_above": 1024, - "type": "keyword" - }, - "apigateway_status": { - "type": "long" - }, - "apigateway_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_edge_detailed_result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_edge_location": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_edge_response_result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_edge_result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_forwarded_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudfront_range_end": { - "type": "long" - }, - "cloudfront_range_start": { - "type": "long" - }, - "cloudfront_time_to_first_byte": { - "type": "float" - }, - "cloudtrail_additional_event_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_console_login_additional_event_data_login_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_console_login_additional_event_data_mfa_used": { - "type": "boolean" - }, - "cloudtrail_console_login_additional_event_data_mobile_version": { - "type": "boolean" - }, - "cloudtrail_digest_end_time": { - "type": "date" - }, - "cloudtrail_digest_log_files": { - "type": "nested" - }, - "cloudtrail_digest_newest_event_time": { - "type": "date" - }, - "cloudtrail_digest_oldest_event_time": { - "type": "date" - }, - "cloudtrail_digest_previous_hash_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_digest_previous_s3_bucket": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_digest_public_key_fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_digest_s3_bucket": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_digest_signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_digest_start_time": { - "type": "date" - }, - "cloudtrail_error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_error_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_event_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_event_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_insight_details": { - "type": "object" - }, - "cloudtrail_management_event": { - "type": "boolean" - }, - "cloudtrail_read_only": { - "type": "boolean" - }, - "cloudtrail_recipient_account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_request_parameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_resources": { - "type": "nested" - }, - "cloudtrail_response_elements": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_shared_event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_access_key_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_invoked_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_session_context_creation_date": { - "type": "date" - }, - "cloudtrail_user_identity_session_context_mfa_authenticated": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_session_context_session_issuer_account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_session_context_session_issuer_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_session_context_session_issuer_principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_session_context_session_issuer_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_user_identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudtrail_vpc_endpoint_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloudwatch": { - "properties": { - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingestion_time": { - "type": "date" - }, - "log_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_stream": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_stream_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "metric": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "long" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "otel_timestamp": { - "type": "long" - }, - "start_timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dimensions": { - "type": "object" - }, - "ec2_ip_address": { - "type": "ip" - }, - "elb_action_executed": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_alpn_be_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_alpn_client_preference_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_alpn_fe_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_backend_http_response_status_code": { - "type": "long" - }, - "elb_backend_ip": { - "type": "ip" - }, - "elb_backend_port": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_backend_processing_time_sec": { - "type": "float" - }, - "elb_chosen_cert": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elb_chosen_cert_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_chosen_cert_serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_classification_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_connection_time": { - "properties": { - "ms": { - "type": "float" - } - } - }, - "elb_connection_time_ms": { - "type": "float" - }, - "elb_error_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_incoming_tls_alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_leaf_client_cert_not_after": { - "type": "date" - }, - "elb_leaf_client_cert_not_before": { - "type": "date" - }, - "elb_leaf_client_cert_serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_leaf_client_cert_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_listener": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_matched_rule_priority": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_redirect_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_request_processing_time_sec": { - "type": "float" - }, - "elb_response_processing_time_sec": { - "type": "float" - }, - "elb_ssl_cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_ssl_named_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_ssl_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_target_group": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "elb_target_group_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_target_port": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_target_status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_tls_connection_creation_time": { - "type": "date" - }, - "elb_tls_connection_creation_time_str": { - "type": "date" - }, - "elb_tls_error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_tls_handshake_latency": { - "type": "float" - }, - "elb_tls_handshake_time": { - "properties": { - "ms": { - "type": "float" - } - } - }, - "elb_tls_handshake_time_ms": { - "type": "float" - }, - "elb_tls_verify_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_trace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "elb_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "exporter": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "firehose": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_stream_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_stream_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscription_filters": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "firewall_alert_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "firewall_alert_rev_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "firewall_alert_severity": { - "type": "long" - }, - "firewall_alert_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "firewall_alert_signature_id": { - "type": "long" - }, - "firewall_flow": { - "properties": { - "age": { - "type": "long" - }, - "bytes": { - "type": "long" - }, - "end": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "max_ttl": { - "type": "long" - }, - "min_ttl": { - "type": "long" - }, - "pkts": { - "type": "long" - }, - "start": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "firewall_tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "guardduty": { - "properties": { - "account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "confidence": { - "type": "float" - }, - "created_at": { - "type": "date" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "partition": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "access_key_details": { - "properties": { - "accesskey_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "container_details": { - "properties": { - "container_runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "prefix": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - }, - "volume_mounts": { - "type": "nested" - } - } - }, - "ebs_volume_details": { - "properties": { - "scanned_volume_details": { - "type": "nested" - }, - "skipped_volume_details": { - "type": "nested" - } - } - }, - "ecs_cluster_details": { - "properties": { - "active_services_count": { - "type": "long" - }, - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_container_instances_count": { - "type": "long" - }, - "running_tasks_count": { - "type": "long" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "type": "nested" - }, - "task_details": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "containers": { - "type": "nested" - }, - "created_at": { - "type": "date" - }, - "definitionarn": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "started_at": { - "type": "date" - }, - "started_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "type": "nested" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "volumes": { - "type": "nested" - } - } - } - } - }, - "eks_cluster_details": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "type": "nested" - }, - "vpcid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance_details": { - "properties": { - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "iaminstance_profile": { - "type": "nested" - }, - "image": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "launch_time": { - "type": "date" - }, - "network_interfaces": { - "type": "nested" - }, - "outpost_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_codes": { - "type": "nested" - }, - "tags": { - "type": "nested" - } - } - }, - "kubernetes_details": { - "properties": { - "kubernetes_user_details": { - "properties": { - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kubernetes_workload_details": { - "properties": { - "containers": { - "type": "nested" - }, - "host_network": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "name_space": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "volumes": { - "type": "nested" - } - } - } - } - }, - "rdsdb_instance_details": { - "properties": { - "cluster_identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "engine": { - "ignore_above": 1024, - "type": "keyword" - }, - "engine_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rdsdb_user_details": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "database": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "s3_bucket_details": { - "type": "nested" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "schema_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "action": { - "properties": { - "dns_request_action": { - "properties": { - "blocked": { - "type": "boolean" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "kubernetes_api_call_action": { - "properties": { - "parameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip_details": { - "properties": { - "city": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "country": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo_location": { - "type": "nested" - }, - "ip_address_v4": { - "type": "ip" - }, - "organization": { - "properties": { - "asn": { - "ignore_above": 1024, - "type": "keyword" - }, - "asnorg": { - "ignore_above": 1024, - "type": "keyword" - }, - "isp": { - "ignore_above": 1024, - "type": "keyword" - }, - "org": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "request_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_ips": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "verb": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "network_connection_action": { - "properties": { - "local_port_details": { - "properties": { - "port": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "remote_ip_details": { - "properties": { - "city": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "country": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo_location": { - "type": "nested" - }, - "ip_address_v4": { - "type": "ip" - }, - "organization": { - "properties": { - "asn": { - "ignore_above": 1024, - "type": "keyword" - }, - "asnorg": { - "ignore_above": 1024, - "type": "keyword" - }, - "isp": { - "ignore_above": 1024, - "type": "keyword" - }, - "org": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "remote_port_details": { - "properties": { - "port": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "long" - } - } - } - } - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "port_probe_action": { - "properties": { - "port_probe_details": { - "type": "nested" - } - } - }, - "rds_login_attempt_action": { - "properties": { - "remote_ip_details": { - "properties": { - "city": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "country": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geo_location": { - "properties": { - "lat": { - "type": "long" - }, - "lon": { - "type": "long" - } - }, - "type": "nested" - }, - "ip_address_v4": { - "type": "ip" - }, - "organization": { - "properties": { - "asn": { - "ignore_above": 1024, - "type": "keyword" - }, - "asnorg": { - "ignore_above": 1024, - "type": "keyword" - }, - "isp": { - "ignore_above": 1024, - "type": "keyword" - }, - "org": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "archived": { - "type": "boolean" - }, - "count": { - "type": "long" - }, - "detector_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "properties": { - "first_seen": { - "type": "date" - }, - "last_seen": { - "type": "date" - } - } - }, - "evidence": { - "properties": { - "threat_intelligence_details": { - "type": "nested" - } - } - }, - "feature_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "runtime_details": { - "properties": { - "context": { - "properties": { - "address_family": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_line_example": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "iana_protocol_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "ld_preload": { - "ignore_above": 1024, - "type": "keyword" - }, - "library_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory_regions": { - "ignore_above": 1024, - "type": "keyword" - }, - "modified_at": { - "type": "date" - }, - "modifying_process": { - "type": "nested" - }, - "module_file_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "module_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "module_sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "release_agent_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "runc_binary_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "script_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "shell_history_file_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "socket_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_process": { - "type": "nested" - }, - "threat_file_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "tool_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "tool_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "euid": { - "type": "long" - }, - "executable_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable_sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "lineage": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace_pid": { - "type": "long" - }, - "parent_uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "pwd": { - "ignore_above": 1024, - "type": "keyword" - }, - "start_time": { - "type": "date" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_id": { - "type": "long" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" } } - } - }, - "service_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" - } - } - }, - "inspector": { - "properties": { - "aws_account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "finding_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "first_observed_at": { - "type": "date" - }, - "fix_available": { - "ignore_above": 1024, - "type": "keyword" - }, - "inspector_score": { - "type": "float" - }, - "inspector_score_details": { - "properties": { - "adjusted_cvss": { - "properties": { - "adjustments": { - "type": "nested" - }, - "cvss_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "score": { - "properties": { - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "type": "float" - } + }, + "write": { + "properties": { + "bytes": { + "type": "long" } - }, - "scoring_vector": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "last_observed_at": { - "type": "date" - }, - "network_reachability_details": { - "properties": { - "network_path": { - "properties": { - "steps": { - "type": "nested" - } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "open_port_range": { - "properties": { - "begin": { - "type": "long" - }, - "end": { - "type": "long" - } - } - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "package_vulnerability_details": { - "properties": { - "cvss": { - "type": "nested" - }, - "reference_urls": { - "ignore_above": 1024, - "type": "keyword" - }, - "related_vulnerabilities": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "url": { - "type": "nested" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" } }, - "vendor": { - "properties": { - "created_at": { - "type": "date" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } - } - }, - "vulnerability_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vulnerable_packages": { - "type": "nested" - } - } - }, - "remediation": { - "properties": { - "recommendation": { - "properties": { - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "type": "nested" + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "resources": { - "type": "nested" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" - } - } - }, - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "kinesis": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "stream": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "lambda": { - "properties": { - "function": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "rds": { - "properties": { - "db_instance_identifier": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "route53": { - "properties": { - "edge_location": { - "ignore_above": 1024, - "type": "keyword" - }, - "edns_client_subnet": { - "ignore_above": 1024, - "type": "keyword" - }, - "firewall": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns": { - "properties": { - "answers": { - "type": "nested" - } - } - }, - "domain_list": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "hosted_zone_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "s3": { - "properties": { - "bucket": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "object": { - "properties": { - "e_tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequencer": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "type": "date" - }, - "user": { - "properties": { - "identity": { - "properties": { - "principal_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "s3access": { - "properties": { - "access_point_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "aclrequired": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "bucket": { - "ignore_above": 1024, - "type": "keyword" - }, - "bucket_owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes_sent": { - "type": "long" - }, - "cipher_suite": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_header": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_status": { - "type": "long" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_size": { - "type": "long" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_ip": { - "type": "ip" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "requester": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "tls_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_time": { - "type": "long" - }, - "turn_around_time": { - "type": "long" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "securityhub_findings": { - "properties": { - "action": { - "properties": { - "aws_api_call": { - "properties": { - "affected_resources": { - "type": "nested" - }, - "api": { - "ignore_above": 1024, - "type": "keyword" - }, - "caller": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain_details": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "remote_ip": { - "properties": { - "city": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "country": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geolocation": { - "properties": { - "latitude": { - "type": "float" - }, - "longitude": { - "type": "float" - } - } - }, - "ip": { - "properties": { - "address_v4": { - "type": "ip" - } - } - }, - "organization": { - "properties": { - "asn": { - "ignore_above": 1024, - "type": "keyword" - }, - "asn_organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "internet_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "internet_service_provider": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "dns_request": { - "properties": { - "blocked": { - "type": "boolean" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "network_connection": { - "properties": { - "blocked": { - "type": "boolean" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "local": { - "properties": { - "port": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "type": "long" - } - } - } - } - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote": { - "properties": { - "port": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "type": "long" - } - } - } - } - }, - "remote_ip": { - "properties": { - "city": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "country": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "geolocation": { - "properties": { - "latitude": { - "type": "float" - }, - "longitude": { - "type": "float" - } - } - }, - "ip": { - "properties": { - "address_v4": { - "type": "ip" - } - } - }, - "organization": { - "properties": { - "asn": { - "ignore_above": 1024, - "type": "keyword" - }, - "asn_organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "internet_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "internet_service_provider": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "port_probe": { - "properties": { - "blocked": { - "type": "boolean" - }, - "details": { - "type": "nested" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "aws_account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "compliance": { - "properties": { - "related_requirements": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_control_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_reasons": { - "type": "nested" - } - } - }, - "confidence": { - "type": "long" - }, - "created_at": { - "type": "date" - }, - "criticality": { - "type": "long" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "first_observed_at": { - "type": "date" - }, - "generator": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_observed_at": { - "type": "date" - }, - "malware": { - "type": "nested" - }, - "network": { - "properties": { - "destination": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "properties": { - "v4": { - "type": "ip" - }, - "v6": { - "type": "ip" - } - } - }, - "port": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "open_port_range": { - "properties": { - "begin": { - "type": "long" - }, - "end": { - "type": "long" - } - } - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "properties": { - "v4": { - "type": "ip" - }, - "v6": { - "type": "ip" - } - } - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "network_path": { - "type": "nested" - }, - "note": { - "properties": { - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" - }, - "updated_by": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "patch_summary": { - "properties": { - "failed": { - "properties": { - "count": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "properties": { - "count": { - "ignore_above": 1024, - "type": "keyword" - }, - "other": { - "properties": { - "count": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pending_reboot": { - "ignore_above": 1024, - "type": "keyword" - }, - "rejected": { - "properties": { - "count": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "missing": { - "properties": { - "count": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "end_time": { - "type": "date" - }, - "start_time": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "reboot_option": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "launched_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "pid": { - "type": "long" - } - } - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "terminated_at": { - "type": "date" - } - } - }, - "product": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "fields": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider_fields": { - "properties": { - "confidence": { - "type": "long" - }, - "criticality": { - "type": "long" - }, - "related_findings": { - "type": "nested" - }, - "severity": { - "properties": { - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "normalized": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "types": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "record_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "related_findings": { - "type": "nested" - }, - "remediation": { - "properties": { - "recommendation": { - "properties": { - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "resources": { - "type": "nested" - }, - "sample": { - "type": "boolean" - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "properties": { - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "normalized": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_intel_indicators": { - "type": "nested" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "types": { - "ignore_above": 1024, - "type": "keyword" - }, - "updated_at": { - "type": "date" - }, - "user_defined_fields": { - "type": "nested" - }, - "verification_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "vulnerabilities": { - "type": "nested" - }, - "workflow": { - "properties": { - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "securityhub_insights": { - "properties": { - "filters": { - "properties": { - "aws_account_id": { - "type": "nested" - }, - "company": { - "properties": { - "name": { - "type": "nested" - } - } - }, - "compliance": { - "properties": { - "status": { - "type": "nested" - } - } - }, - "confidence": { - "type": "nested" - }, - "created_at": { - "type": "nested" - }, - "criticality": { - "type": "nested" - }, - "description": { - "type": "nested" - }, - "finding_provider_fields": { - "properties": { - "confidence": { - "type": "nested" - }, - "criticality": { - "type": "nested" - }, - "related_findings": { - "properties": { - "id": { - "type": "nested" - }, - "product": { - "properties": { - "arn": { - "type": "nested" - } - } - } - } - }, - "severity": { - "properties": { - "label": { - "type": "nested" - }, - "original": { - "type": "nested" - } - } - }, - "types": { - "type": "nested" - } - } - }, - "first_observed_at": { - "type": "nested" - }, - "generator": { - "properties": { - "id": { - "type": "nested" - } - } - }, - "id": { - "type": "nested" - }, - "keyword": { - "type": "nested" - }, - "last_observed_at": { - "type": "nested" - }, - "malware": { - "properties": { - "name": { - "type": "nested" - }, - "path": { - "type": "nested" - }, - "state": { - "type": "nested" - }, - "type": { - "type": "nested" - } - } - }, - "network": { - "properties": { - "destination": { - "properties": { - "domain": { - "type": "nested" - }, - "ip": { - "properties": { - "v4": { - "type": "nested" - }, - "v6": { - "type": "nested" - } - } - }, - "port": { - "type": "nested" - } - } - }, - "direction": { - "type": "nested" - }, - "protocol": { - "type": "nested" - }, - "source": { - "properties": { - "domain": { - "type": "nested" - }, - "ip": { - "properties": { - "v4": { - "type": "nested" - }, - "v6": { - "type": "nested" - } - } - }, - "mac": { - "type": "nested" - }, - "port": { - "type": "nested" - } - } - } - } - }, - "note": { - "properties": { - "text": { - "type": "nested" - }, - "updated_at": { - "type": "nested" - }, - "updated_by": { - "type": "nested" - } - } - }, - "process": { - "properties": { - "launched_at": { - "type": "nested" - }, - "name": { - "type": "nested" - }, - "parent": { - "properties": { - "pid": { - "type": "nested" - } - } - }, - "path": { - "type": "nested" - }, - "pid": { - "type": "nested" - }, - "terminated_at": { - "type": "nested" - } - } - }, - "product": { - "properties": { - "arn": { - "type": "nested" - }, - "fields": { - "type": "nested" - }, - "name": { - "type": "nested" - } - } - }, - "recommendation_text": { - "type": "nested" - }, - "record_state": { - "type": "nested" - }, - "region": { - "type": "nested" - }, - "related_findings": { - "properties": { - "id": { - "type": "nested" - }, - "product": { - "properties": { - "arn": { - "type": "nested" - } - } - } - } - }, - "resource": { - "properties": { - "aws_ec2_instance": { - "properties": { - "iam_instance_profile": { - "properties": { - "arn": { - "type": "nested" - } - } - }, - "image": { - "properties": { - "id": { - "type": "nested" - } - } - }, - "ip": { - "properties": { - "v4_addresses": { - "type": "nested" - }, - "v6_addresses": { - "type": "nested" - } - } - }, - "key": { - "properties": { - "name": { - "type": "nested" - } - } - }, - "launched_at": { - "type": "nested" - }, - "subnet": { - "properties": { - "id": { - "type": "nested" - } - } - }, - "type": { - "type": "nested" - }, - "vpc": { - "properties": { - "id": { - "type": "nested" - } - } - } - } - }, - "aws_iam_access_key": { - "properties": { - "created_at": { - "type": "nested" - }, - "principal": { - "properties": { - "name": { - "type": "nested" - } - } - }, - "status": { - "type": "nested" - }, - "user": { - "properties": { - "name": { - "type": "nested" - } - } - } - } - }, - "aws_iam_user": { - "properties": { - "user": { - "properties": { - "name": { - "type": "nested" - } - } - } - } - }, - "aws_s3_bucket": { - "properties": { - "owner": { - "properties": { - "id": { - "type": "nested" - }, - "name": { - "type": "nested" - } - } - } - } - }, - "container": { - "properties": { - "image": { - "properties": { - "id": { - "type": "nested" - }, - "name": { - "type": "nested" - } - } - }, - "launched_at": { - "type": "nested" - }, - "name": { - "type": "nested" - } - } - }, - "details_other": { - "type": "nested" - }, - "id": { - "type": "nested" - }, - "partition": { - "type": "nested" - }, - "region": { - "type": "nested" - }, - "tags": { - "type": "nested" - }, - "type": { - "type": "nested" - } - } - }, - "sample": { - "type": "nested" - }, - "severity": { - "properties": { - "label": { - "type": "nested" - }, - "normalized": { - "type": "nested" - }, - "product": { - "type": "nested" - } - } - }, - "source_url": { - "type": "nested" - }, - "threat_intel_indicator": { - "properties": { - "category": { - "type": "nested" - }, - "last_observed_at": { - "type": "nested" - }, - "source": { - "type": "nested" - }, - "source_url": { - "type": "nested" - }, - "type": { - "type": "nested" - }, - "value": { - "type": "nested" - } - } - }, - "title": { - "type": "nested" - }, - "type": { - "type": "nested" - }, - "updated_at": { - "type": "nested" - }, - "user_defined_fields": { - "type": "nested" - }, - "verification": { - "properties": { - "state": { - "type": "nested" - } - } - }, - "workflow": { - "properties": { - "state": { - "type": "nested" - }, - "status": { - "type": "nested" - } - } - } - } - }, - "group_by_attribute": { - "ignore_above": 1024, - "type": "keyword" - }, - "insight_arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpcflow": { - "properties": { - "account_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "pkt_dst_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "pkt_dstaddr": { - "type": "ip" - }, - "pkt_src_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "pkt_srcaddr": { - "type": "ip" - }, - "sublocation": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subnet_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags_array": { - "ignore_above": 1024, - "type": "keyword" - }, - "traffic_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "waf": { - "properties": { - "arn": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "non_terminating_matching_rules": { - "type": "nested" - }, - "rate_based_rule_list": { - "type": "nested" - }, - "request": { - "properties": { - "headers": { - "type": "nested" - } - } - }, - "rule": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule_group_list": { - "type": "nested" - }, - "source": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "terminating_matching_rule": { - "type": "nested" - }, - "terminating_rule_match_details": { - "type": "nested" - } - } - } - } - }, - "aws_bedrock": { - "properties": { - "invocation": { - "properties": { - "compliance": { - "properties": { - "violation_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "violation_detected": { - "type": "boolean" - } - } - }, - "input": { - "properties": { - "input_body_json": { - "ignore_above": 1024, - "type": "keyword" - }, - "input_body_s3_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "input_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "input_token_count": { - "type": "long" - } - } - }, - "model": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "model_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "output": { - "properties": { - "completion_text": { - "ignore_above": 1024, - "type": "keyword" - }, - "output_body_json": { - "ignore_above": 1024, - "type": "keyword" - }, - "output_body_s3_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "output_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "output_token_count": { - "type": "long" - } - } - }, - "performance": { - "properties": { - "response_time": { - "type": "long" - } - } - }, - "policy": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "violation": { - "type": "object" - } - } - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "properties": { - "timestamp": { - "type": "date" - } - } - }, - "schema_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "schema_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "aws": { + "properties": { + "amazonmq": { + "properties": { + "broker": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } + "queue": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "apigateway": { + "properties": { + "api_id": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } + "apigateway_api_id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } + "apigateway_caller": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ocsf": { - "properties": { - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "actor": { - "properties": { - "process": { - "properties": { - "created_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "api": { - "properties": { - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "properties": { - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "error": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_message": { - "norms": false, - "type": "text" - } - } - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "category_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "category_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "class_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "class_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "properties": { - "org": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ou_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ou_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "compliance": { - "properties": { - "control": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirements": { - "type": "nested" - }, - "standards": { - "type": "nested" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_id": { - "type": "long" - } - } - }, - "connection_info": { - "properties": { - "boundary": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction_id": { - "type": "long" - }, - "protocol_ver": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "count": { - "type": "long" - }, - "device": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "type_id": { - "type": "long" - } - } - }, - "dst_endpoint": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "properties": { - "accessed_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "modified_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_folder": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "finding": { - "properties": { - "created_time": { - "type": "date" - }, - "desc": { - "norms": false, - "type": "text" - }, - "first_seen_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_seen_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "modified_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http_request": { - "properties": { - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "http_response": { - "properties": { - "message": { - "norms": false, - "type": "text" - } - } - }, - "malware": { - "properties": { - "classification_ids": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "correlation_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "logged_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "processed_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sequence": { - "type": "long" - }, - "tenant_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "group": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity_id": { - "type": "long" - }, - "src_endpoint": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_id": { - "type": "long" - }, - "time": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone_offset": { - "type": "long" - }, - "traffic": { - "properties": { - "bytes": { - "type": "long" - }, - "bytes_in": { - "type": "long" - }, - "bytes_out": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "packets_in": { - "type": "long" - }, - "packets_out": { - "type": "long" - } - } - }, - "type_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "account": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "credential_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "email_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type_id": { - "type": "long" - } - } - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "apigateway_connection_id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "apigateway_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_http_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_request_time": { + "type": "date" + }, + "apigateway_resource_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_response_length": { + "type": "long" + }, + "apigateway_route_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_stage": { + "ignore_above": 1024, + "type": "keyword" + }, + "apigateway_status": { + "type": "long" + }, + "apigateway_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_edge_detailed_result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_edge_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_edge_response_result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_edge_result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_forwarded_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudfront_range_end": { + "type": "long" + }, + "cloudfront_range_start": { + "type": "long" + }, + "cloudfront_time_to_first_byte": { + "type": "float" + }, + "cloudtrail_additional_event_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_console_login_additional_event_data_login_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_console_login_additional_event_data_mfa_used": { + "type": "boolean" + }, + "cloudtrail_console_login_additional_event_data_mobile_version": { + "type": "boolean" + }, + "cloudtrail_digest_end_time": { + "type": "date" + }, + "cloudtrail_digest_log_files": { + "type": "nested" + }, + "cloudtrail_digest_newest_event_time": { + "type": "date" + }, + "cloudtrail_digest_oldest_event_time": { + "type": "date" + }, + "cloudtrail_digest_previous_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_digest_previous_s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_digest_public_key_fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_digest_s3_bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_digest_signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_digest_start_time": { + "type": "date" + }, + "cloudtrail_error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_event_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_event_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_insight_details": { + "type": "object" + }, + "cloudtrail_management_event": { + "type": "boolean" + }, + "cloudtrail_read_only": { + "type": "boolean" + }, + "cloudtrail_recipient_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_request_parameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_resources": { + "type": "nested" + }, + "cloudtrail_response_elements": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_shared_event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_access_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_invoked_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_session_context_creation_date": { + "type": "date" + }, + "cloudtrail_user_identity_session_context_mfa_authenticated": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_session_context_session_issuer_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_session_context_session_issuer_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_session_context_session_issuer_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_session_context_session_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_user_identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudtrail_vpc_endpoint_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloudwatch": { + "properties": { + "event_id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "ingestion_time": { + "type": "date" + }, + "log_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_stream_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "metric": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "value": { + "type": "long" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "otel_timestamp": { + "type": "long" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "start_timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "dimensions": { + "type": "object" + }, + "ec2_ip_address": { + "type": "ip" + }, + "elb_action_executed": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_alpn_be_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_alpn_client_preference_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_alpn_fe_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_backend_http_response_status_code": { + "type": "long" + }, + "elb_backend_ip": { + "type": "ip" + }, + "elb_backend_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_backend_processing_time_sec": { + "type": "float" + }, + "elb_chosen_cert": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "elb_chosen_cert_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_chosen_cert_serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_classification_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_connection_time": { + "properties": { + "ms": { + "type": "float" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" + }, + "elb_connection_time_ms": { + "type": "float" + }, + "elb_error_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_incoming_tls_alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_leaf_client_cert_not_after": { + "type": "date" + }, + "elb_leaf_client_cert_not_before": { + "type": "date" + }, + "elb_leaf_client_cert_serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_leaf_client_cert_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_matched_rule_priority": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_redirect_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_request_processing_time_sec": { + "type": "float" + }, + "elb_response_processing_time_sec": { + "type": "float" + }, + "elb_ssl_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_ssl_named_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_ssl_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_target_group": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" + }, + "elb_target_group_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_target_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_target_status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_tls_connection_creation_time": { + "type": "date" + }, + "elb_tls_connection_creation_time_str": { + "type": "date" + }, + "elb_tls_error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_tls_handshake_latency": { + "type": "float" + }, + "elb_tls_handshake_time": { + "properties": { + "ms": { + "type": "float" + } } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "elb_tls_handshake_time_ms": { + "type": "float" + }, + "elb_tls_verify_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "elb_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "exporter": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "firehose": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_stream_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_stream_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscription_filters": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "firewall_alert_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "firewall_alert_rev_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "firewall_alert_severity": { + "type": "long" + }, + "firewall_alert_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "firewall_alert_signature_id": { + "type": "long" + }, + "firewall_flow": { + "properties": { + "age": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "end": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "max_ttl": { + "type": "long" + }, + "min_ttl": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "start": { + "ignore_above": 1024, + "type": "keyword" } }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "type": "nested" + }, + "firewall_tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "guardduty": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence": { + "type": "float" + }, + "created_at": { + "type": "date" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "partition": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "access_key_details": { + "properties": { + "accesskey_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + } + } + }, + "container_details": { + "properties": { + "container_runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" + "volume_mounts": { + "type": "nested" + } } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" + }, + "ebs_volume_details": { + "properties": { + "scanned_volume_details": { + "type": "nested" + }, + "skipped_volume_details": { + "type": "nested" + } } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + }, + "ecs_cluster_details": { + "properties": { + "active_services_count": { + "type": "long" + }, + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_container_instances_count": { + "type": "long" + }, + "running_tasks_count": { + "type": "long" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "type": "nested" + }, + "task_details": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "containers": { + "type": "nested" + }, + "created_at": { + "type": "date" + }, + "definitionarn": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "started_at": { + "type": "date" + }, + "started_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "type": "nested" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "volumes": { + "type": "nested" + } + } + } + } + }, + "eks_cluster_details": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "type": "nested" + }, + "vpcid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "instance_details": { + "properties": { + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "iaminstance_profile": { + "type": "nested" + }, + "image": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "launch_time": { + "type": "date" + }, + "network_interfaces": { + "type": "nested" + }, + "outpost_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_codes": { + "type": "nested" + }, + "tags": { + "type": "nested" + } } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "kubernetes_details": { + "properties": { + "kubernetes_user_details": { + "properties": { + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes_workload_details": { + "properties": { + "containers": { + "type": "nested" + }, + "host_network": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "name_space": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "volumes": { + "type": "nested" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "rdsdb_instance_details": { + "properties": { + "cluster_identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine": { + "ignore_above": 1024, + "type": "keyword" + }, + "engine_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rdsdb_user_details": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "database": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3_bucket_details": { + "type": "nested" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "schema_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "action": { + "properties": { + "dns_request_action": { + "properties": { + "blocked": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "kubernetes_api_call_action": { + "properties": { + "parameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip_details": { + "properties": { + "city": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "country": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo_location": { + "type": "nested" + }, + "ip_address_v4": { + "type": "ip" + }, + "organization": { + "properties": { + "asn": { + "ignore_above": 1024, + "type": "keyword" + }, + "asnorg": { + "ignore_above": 1024, + "type": "keyword" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_ips": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "verb": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network_connection_action": { + "properties": { + "local_port_details": { + "properties": { + "port": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "remote_ip_details": { + "properties": { + "city": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "country": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo_location": { + "type": "nested" + }, + "ip_address_v4": { + "type": "ip" + }, + "organization": { + "properties": { + "asn": { + "ignore_above": 1024, + "type": "keyword" + }, + "asnorg": { + "ignore_above": 1024, + "type": "keyword" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "remote_port_details": { + "properties": { + "port": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "long" + } + } + } + } + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "port_probe_action": { + "properties": { + "port_probe_details": { + "type": "nested" + } + } + }, + "rds_login_attempt_action": { + "properties": { + "remote_ip_details": { + "properties": { + "city": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "country": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geo_location": { + "properties": { + "lat": { + "type": "long" + }, + "lon": { + "type": "long" + } + }, + "type": "nested" + }, + "ip_address_v4": { + "type": "ip" + }, + "organization": { + "properties": { + "asn": { + "ignore_above": 1024, + "type": "keyword" + }, + "asnorg": { + "ignore_above": 1024, + "type": "keyword" + }, + "isp": { + "ignore_above": 1024, + "type": "keyword" + }, + "org": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "archived": { + "type": "boolean" + }, + "count": { + "type": "long" + }, + "detector_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "properties": { + "first_seen": { + "type": "date" + }, + "last_seen": { + "type": "date" + } + } + }, + "evidence": { + "properties": { + "threat_intelligence_details": { + "type": "nested" + } + } + }, + "feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "runtime_details": { + "properties": { + "context": { + "properties": { + "address_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_line_example": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "iana_protocol_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "ld_preload": { + "ignore_above": 1024, + "type": "keyword" + }, + "library_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory_regions": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_at": { + "type": "date" + }, + "modifying_process": { + "type": "nested" + }, + "module_file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "module_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "module_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "release_agent_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "runc_binary_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "script_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "shell_history_file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "socket_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_process": { + "type": "nested" + }, + "threat_file_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "tool_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "euid": { + "type": "long" + }, + "executable_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "lineage": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace_pid": { + "type": "long" + }, + "parent_uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "pwd": { + "ignore_above": 1024, + "type": "keyword" + }, + "start_time": { + "type": "date" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "type": "long" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "inspector": { + "properties": { + "aws_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "finding_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_observed_at": { + "type": "date" + }, + "fix_available": { + "ignore_above": 1024, + "type": "keyword" + }, + "inspector_score": { + "type": "float" + }, + "inspector_score_details": { + "properties": { + "adjusted_cvss": { + "properties": { + "adjustments": { + "type": "nested" + }, + "cvss_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "score": { + "properties": { + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "type": "float" + } + } + }, + "scoring_vector": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "last_observed_at": { + "type": "date" + }, + "network_reachability_details": { + "properties": { + "network_path": { + "properties": { + "steps": { + "type": "nested" + } + } + }, + "open_port_range": { + "properties": { + "begin": { + "type": "long" + }, + "end": { + "type": "long" + } + } + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package_vulnerability_details": { + "properties": { + "cvss": { + "type": "nested" + }, + "reference_urls": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_vulnerabilities": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "url": { + "type": "nested" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vendor": { + "properties": { + "created_at": { + "type": "date" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "vulnerability_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnerable_packages": { + "type": "nested" + } + } + }, + "remediation": { + "properties": { + "recommendation": { + "properties": { + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "type": "nested" + } + } + } + } + }, + "resources": { + "type": "nested" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + } + } + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "kinesis": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "stream": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "lambda": { + "properties": { + "function": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "rds": { + "properties": { + "db_instance_identifier": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "route53": { + "properties": { + "edge_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "edns_client_subnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "firewall": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns": { + "properties": { + "answers": { + "type": "nested" + } + } + }, + "domain_list": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "hosted_zone_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "s3": { + "properties": { + "bucket": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "properties": { + "e_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequencer": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "type": "date" + }, + "user": { + "properties": { + "identity": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" + } } } } } + } + }, + "s3access": { + "properties": { + "access_point_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "aclrequired": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket": { + "ignore_above": 1024, + "type": "keyword" + }, + "bucket_owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_sent": { + "type": "long" + }, + "cipher_suite": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_header": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status": { + "type": "long" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_size": { + "type": "long" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_ip": { + "type": "ip" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "requester": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tls_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_time": { + "type": "long" + }, + "turn_around_time": { + "type": "long" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "securityhub_findings": { + "properties": { + "action": { + "properties": { + "aws_api_call": { + "properties": { + "affected_resources": { + "type": "nested" + }, + "api": { + "ignore_above": 1024, + "type": "keyword" + }, + "caller": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain_details": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "remote_ip": { + "properties": { + "city": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "country": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geolocation": { + "properties": { + "latitude": { + "type": "float" + }, + "longitude": { + "type": "float" + } + } + }, + "ip": { + "properties": { + "address_v4": { + "type": "ip" + } + } + }, + "organization": { + "properties": { + "asn": { + "ignore_above": 1024, + "type": "keyword" + }, + "asn_organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "internet_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "internet_service_provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dns_request": { + "properties": { + "blocked": { + "type": "boolean" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network_connection": { + "properties": { + "blocked": { + "type": "boolean" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "local": { + "properties": { + "port": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "type": "long" + } + } + } + } + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "properties": { + "port": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "type": "long" + } + } + } + } + }, + "remote_ip": { + "properties": { + "city": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "country": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "geolocation": { + "properties": { + "latitude": { + "type": "float" + }, + "longitude": { + "type": "float" + } + } + }, + "ip": { + "properties": { + "address_v4": { + "type": "ip" + } + } + }, + "organization": { + "properties": { + "asn": { + "ignore_above": 1024, + "type": "keyword" + }, + "asn_organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "internet_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "internet_service_provider": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "port_probe": { + "properties": { + "blocked": { + "type": "boolean" + }, + "details": { + "type": "nested" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "aws_account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compliance": { + "properties": { + "related_requirements": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_control_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_reasons": { + "type": "nested" + } + } + }, + "confidence": { + "type": "long" + }, + "created_at": { + "type": "date" + }, + "criticality": { + "type": "long" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "first_observed_at": { + "type": "date" + }, + "generator": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_observed_at": { + "type": "date" + }, + "malware": { + "type": "nested" + }, + "network": { + "properties": { + "destination": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "properties": { + "v4": { + "type": "ip" + }, + "v6": { + "type": "ip" + } + } + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "open_port_range": { + "properties": { + "begin": { + "type": "long" + }, + "end": { + "type": "long" + } + } + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "properties": { + "v4": { + "type": "ip" + }, + "v6": { + "type": "ip" + } + } + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "network_path": { + "type": "nested" + }, + "note": { + "properties": { + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "updated_by": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "patch_summary": { + "properties": { + "failed": { + "properties": { + "count": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "properties": { + "count": { + "ignore_above": 1024, + "type": "keyword" + }, + "other": { + "properties": { + "count": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pending_reboot": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejected": { + "properties": { + "count": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "missing": { + "properties": { + "count": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "end_time": { + "type": "date" + }, + "start_time": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "reboot_option": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "launched_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "pid": { + "type": "long" + } + } + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "terminated_at": { + "type": "date" + } + } + }, + "product": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fields": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider_fields": { + "properties": { + "confidence": { + "type": "long" + }, + "criticality": { + "type": "long" + }, + "related_findings": { + "type": "nested" + }, + "severity": { + "properties": { + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "normalized": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "record_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_findings": { + "type": "nested" + }, + "remediation": { + "properties": { + "recommendation": { + "properties": { + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "resources": { + "type": "nested" + }, + "sample": { + "type": "boolean" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "properties": { + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "normalized": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_intel_indicators": { + "type": "nested" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "types": { + "ignore_above": 1024, + "type": "keyword" + }, + "updated_at": { + "type": "date" + }, + "user_defined_fields": { + "type": "nested" + }, + "verification_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnerabilities": { + "type": "nested" + }, + "workflow": { + "properties": { + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "securityhub_insights": { + "properties": { + "filters": { + "properties": { + "aws_account_id": { + "type": "nested" + }, + "company": { + "properties": { + "name": { + "type": "nested" + } + } + }, + "compliance": { + "properties": { + "status": { + "type": "nested" + } + } + }, + "confidence": { + "type": "nested" + }, + "created_at": { + "type": "nested" + }, + "criticality": { + "type": "nested" + }, + "description": { + "type": "nested" + }, + "finding_provider_fields": { + "properties": { + "confidence": { + "type": "nested" + }, + "criticality": { + "type": "nested" + }, + "related_findings": { + "properties": { + "id": { + "type": "nested" + }, + "product": { + "properties": { + "arn": { + "type": "nested" + } + } + } + } + }, + "severity": { + "properties": { + "label": { + "type": "nested" + }, + "original": { + "type": "nested" + } + } + }, + "types": { + "type": "nested" + } + } + }, + "first_observed_at": { + "type": "nested" + }, + "generator": { + "properties": { + "id": { + "type": "nested" + } + } + }, + "id": { + "type": "nested" + }, + "keyword": { + "type": "nested" + }, + "last_observed_at": { + "type": "nested" + }, + "malware": { + "properties": { + "name": { + "type": "nested" + }, + "path": { + "type": "nested" + }, + "state": { + "type": "nested" + }, + "type": { + "type": "nested" + } + } + }, + "network": { + "properties": { + "destination": { + "properties": { + "domain": { + "type": "nested" + }, + "ip": { + "properties": { + "v4": { + "type": "nested" + }, + "v6": { + "type": "nested" + } + } + }, + "port": { + "type": "nested" + } + } + }, + "direction": { + "type": "nested" + }, + "protocol": { + "type": "nested" + }, + "source": { + "properties": { + "domain": { + "type": "nested" + }, + "ip": { + "properties": { + "v4": { + "type": "nested" + }, + "v6": { + "type": "nested" + } + } + }, + "mac": { + "type": "nested" + }, + "port": { + "type": "nested" + } + } + } + } + }, + "note": { + "properties": { + "text": { + "type": "nested" + }, + "updated_at": { + "type": "nested" + }, + "updated_by": { + "type": "nested" + } + } + }, + "process": { + "properties": { + "launched_at": { + "type": "nested" + }, + "name": { + "type": "nested" + }, + "parent": { + "properties": { + "pid": { + "type": "nested" + } + } + }, + "path": { + "type": "nested" + }, + "pid": { + "type": "nested" + }, + "terminated_at": { + "type": "nested" + } + } + }, + "product": { + "properties": { + "arn": { + "type": "nested" + }, + "fields": { + "type": "nested" + }, + "name": { + "type": "nested" + } + } + }, + "recommendation_text": { + "type": "nested" + }, + "record_state": { + "type": "nested" + }, + "region": { + "type": "nested" + }, + "related_findings": { + "properties": { + "id": { + "type": "nested" + }, + "product": { + "properties": { + "arn": { + "type": "nested" + } + } + } + } + }, + "resource": { + "properties": { + "aws_ec2_instance": { + "properties": { + "iam_instance_profile": { + "properties": { + "arn": { + "type": "nested" + } + } + }, + "image": { + "properties": { + "id": { + "type": "nested" + } + } + }, + "ip": { + "properties": { + "v4_addresses": { + "type": "nested" + }, + "v6_addresses": { + "type": "nested" + } + } + }, + "key": { + "properties": { + "name": { + "type": "nested" + } + } + }, + "launched_at": { + "type": "nested" + }, + "subnet": { + "properties": { + "id": { + "type": "nested" + } + } + }, + "type": { + "type": "nested" + }, + "vpc": { + "properties": { + "id": { + "type": "nested" + } + } + } + } + }, + "aws_iam_access_key": { + "properties": { + "created_at": { + "type": "nested" + }, + "principal": { + "properties": { + "name": { + "type": "nested" + } + } + }, + "status": { + "type": "nested" + }, + "user": { + "properties": { + "name": { + "type": "nested" + } + } + } + } + }, + "aws_iam_user": { + "properties": { + "user": { + "properties": { + "name": { + "type": "nested" + } + } + } + } + }, + "aws_s3_bucket": { + "properties": { + "owner": { + "properties": { + "id": { + "type": "nested" + }, + "name": { + "type": "nested" + } + } + } + } + }, + "container": { + "properties": { + "image": { + "properties": { + "id": { + "type": "nested" + }, + "name": { + "type": "nested" + } + } + }, + "launched_at": { + "type": "nested" + }, + "name": { + "type": "nested" + } + } + }, + "details_other": { + "type": "nested" + }, + "id": { + "type": "nested" + }, + "partition": { + "type": "nested" + }, + "region": { + "type": "nested" + }, + "tags": { + "type": "nested" + }, + "type": { + "type": "nested" + } + } + }, + "sample": { + "type": "nested" + }, + "severity": { + "properties": { + "label": { + "type": "nested" + }, + "normalized": { + "type": "nested" + }, + "product": { + "type": "nested" + } + } + }, + "source_url": { + "type": "nested" + }, + "threat_intel_indicator": { + "properties": { + "category": { + "type": "nested" + }, + "last_observed_at": { + "type": "nested" + }, + "source": { + "type": "nested" + }, + "source_url": { + "type": "nested" + }, + "type": { + "type": "nested" + }, + "value": { + "type": "nested" + } + } + }, + "title": { + "type": "nested" + }, + "type": { + "type": "nested" + }, + "updated_at": { + "type": "nested" + }, + "user_defined_fields": { + "type": "nested" + }, + "verification": { + "properties": { + "state": { + "type": "nested" + } + } + }, + "workflow": { + "properties": { + "state": { + "type": "nested" + }, + "status": { + "type": "nested" + } + } + } + } + }, + "group_by_attribute": { + "ignore_above": 1024, + "type": "keyword" + }, + "insight_arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpcflow": { + "properties": { + "account_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dst_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_dstaddr": { + "type": "ip" + }, + "pkt_src_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "pkt_srcaddr": { + "type": "ip" + }, + "sublocation": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subnet_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags_array": { + "ignore_above": 1024, + "type": "keyword" + }, + "traffic_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "waf": { + "properties": { + "arn": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "non_terminating_matching_rules": { + "type": "nested" + }, + "rate_based_rule_list": { + "type": "nested" + }, + "request": { + "properties": { + "headers": { + "type": "nested" + } + } + }, + "rule": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_group_list": { + "type": "nested" + }, + "source": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "terminating_matching_rule": { + "type": "nested" + }, + "terminating_rule_match_details": { + "type": "nested" + } + } + } + } + }, + "aws_bedrock": { + "properties": { + "invocation": { + "properties": { + "compliance": { + "properties": { + "violation_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "violation_detected": { + "type": "boolean" + } + } + }, + "input": { + "properties": { + "input_body_json": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_body_s3_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "input_token_count": { + "type": "long" + } + } + }, + "model": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "model_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "output": { + "properties": { + "completion_text": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_body_json": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_body_s3_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "output_token_count": { + "type": "long" + } + } + }, + "performance": { + "properties": { + "response_time": { + "type": "long" + } + } + }, + "policy": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "violation": { + "type": "object" + } + } + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "timestamp": { + "type": "date" + } + } + }, + "schema_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } } } }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } }, - "modified_at": { - "type": "date" + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ocsf": { + "properties": { + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "actor": { + "properties": { + "process": { + "properties": { + "created_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "api": { + "properties": { + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "properties": { + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "error": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "norms": false, + "type": "text" + } + } + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "category_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "class_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "properties": { + "org": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ou_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ou_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "compliance": { + "properties": { + "control": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirements": { + "type": "nested" + }, + "standards": { + "type": "nested" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_id": { + "type": "long" + } + } + }, + "connection_info": { + "properties": { + "boundary": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction_id": { + "type": "long" + }, + "protocol_ver": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "count": { + "type": "long" + }, + "device": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "type_id": { + "type": "long" + } + } + }, + "dst_endpoint": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "properties": { + "accessed_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_folder": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "finding": { + "properties": { + "created_time": { + "type": "date" + }, + "desc": { + "norms": false, + "type": "text" + }, + "first_seen_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_seen_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http_request": { + "properties": { + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "http_response": { + "properties": { + "message": { + "norms": false, + "type": "text" + } + } + }, + "malware": { + "properties": { + "classification_ids": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "correlation_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "logged_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "processed_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sequence": { + "type": "long" + }, + "tenant_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "group": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity_id": { + "type": "long" + }, + "src_endpoint": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_id": { + "type": "long" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone_offset": { + "type": "long" + }, + "traffic": { + "properties": { + "bytes": { + "type": "long" + }, + "bytes_in": { + "type": "long" + }, + "bytes_out": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "packets_in": { + "type": "long" + }, + "packets_out": { + "type": "long" + } + } + }, + "type_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "account": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "credential_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "email_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type_id": { + "type": "long" + } + } + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "not_after": { - "type": "date" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } }, - "not_before": { - "type": "date" + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "locality": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" } } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } + }, + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 10, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 200, - "mapping.total_fields.limit": 3500, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-aws" } } diff --git a/plugins/setup/src/main/resources/templates/streams/cloud-services-azure.json b/plugins/setup/src/main/resources/templates/streams/cloud-services-azure.json index 5464c811..14e4dcfa 100644 --- a/plugins/setup/src/main/resources/templates/streams/cloud-services-azure.json +++ b/plugins/setup/src/main/resources/templates/streams/cloud-services-azure.json @@ -1,10614 +1,10617 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-azure-*" + "wazuh-events-v5-cloud-services-azure*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 10, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 3000, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-azure" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "azure": { - "properties": { - "activitylogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "properties": { - "authorization": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "evidence": { - "properties": { - "principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "principal_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_assignment_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_assignment_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "role_definition_id": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" } }, - "scope": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" } }, - "claims": { - "type": "object" - }, - "claims_initiated_by_user_fullname": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "type": "long" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_properties_cause": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "app_service": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "container_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_ip_address": { - "type": "ip" - }, - "event_primary_stamp_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_stamp_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_stamp_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "client_ip": { - "type": "ip" - }, - "client_port": { - "type": "long" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_bytes": { - "type": "long" - }, - "cs_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_uri_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_uri_stem": { - "ignore_above": 1024, - "type": "keyword" - }, - "cs_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "details": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "referer": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "s_port": { - "ignore_above": 1024, - "type": "keyword" - }, - "sc_bytes": { - "type": "long" - }, - "sc_status": { - "type": "long" - }, - "sc_substatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "sc_win32status": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_generated": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_taken": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "xazurefdid": { - "ignore_above": 1024, - "type": "keyword" - }, - "xfdhealth_probe": { - "ignore_above": 1024, - "type": "keyword" - }, - "xforwarded_for": { - "ignore_above": 1024, - "type": "keyword" - }, - "xforwarded_host": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_description": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "application_gateway": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "scope_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "application_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "auditlogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "type": "long" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "activity_datetime": { - "type": "date" - }, - "activity_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "additional_details": { - "type": "object" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiated_by": { - "properties": { - "app": { - "properties": { - "app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" } - }, - "user": { - "properties": { - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipaddress": { - "type": "ip" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "logged_by_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_resources": { - "type": "object" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "compute_vm": { - "properties": { - "disk_read_bytes": { - "properties": { - "total": { - "type": "float" - } - } - }, - "inbound_flows_maximum_creation_rate": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "network_in": { - "properties": { - "total": { - "type": "long" - } - } - }, - "network_in_total": { - "properties": { - "total": { - "type": "long" - } - } - }, - "outbound_flows_maximum_creation_rate": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "percentage_cpu": { - "properties": { - "avg": { - "type": "float" - } - } - } - } - }, - "compute_vm_scaleset": { - "properties": { - "cpu_credits_consumed": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "cpu_credits_remaining": { - "properties": { - "avg": { - "type": "long" - } - } - } - } - }, - "container_instance": { - "properties": { - "network_bytes_received_per_second": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "network_bytes_transmitted_per_second": { - "properties": { - "avg": { - "type": "long" - } - } - } - } - }, - "container_registry": { - "properties": { - "agent_pool_cpu_time": { - "properties": { - "total": { - "type": "long" - } - } - }, - "run_duration": { - "properties": { - "total": { - "type": "long" - } - } - }, - "storage_used": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "successful_pull_count": { - "properties": { - "total": { - "type": "long" - } - } - }, - "successful_push_count": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total_pull_count": { - "properties": { - "total": { - "type": "long" - } - } - }, - "total_push_count": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "container_service": { - "properties": { - "kube_node_status_allocatable_cpu_cores": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "kube_node_status_allocatable_memory_bytes": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "kube_node_status_condition": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "kube_pod_status_phase": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "kube_pod_status_ready": { - "properties": { - "avg": { - "type": "long" - } - } - } - } - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "database_account": { - "properties": { - "availability": { - "properties": { - "avg": { - "type": "float" - } - } - }, - "data_usage_storage": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "mongo_requests_count": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "dimensions": { - "properties": { - "api_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication": { - "ignore_above": 1024, - "type": "keyword" - }, - "blob_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "closure_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "command_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "database_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "feature_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_share": { - "ignore_above": 1024, - "type": "keyword" - }, - "fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "geolocation": { - "ignore_above": 1024, - "type": "keyword" - }, - "lun": { - "ignore_above": 1024, - "type": "keyword" - }, - "model_deployment_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "model_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - }, - "phase": { - "ignore_above": 1024, - "type": "keyword" - }, - "pod": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "response_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "tier": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "usage_channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual_machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "vmname": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "firewall": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnssec_ok_bit": { - "type": "boolean" - }, - "edns0_buffer_size": { - "type": "long" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp": { - "properties": { - "request": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_explicit_proxy_request": { - "type": "boolean" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_scope_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_duration_sec": { - "type": "long" - }, - "request_size": { - "type": "long" - }, - "response_size": { - "type": "long" - }, - "rule_collection_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_category": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "properties": { - "app_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "type": "long" - }, - "event_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "exception_details": { - "norms": false, - "type": "text" - }, - "exception_message": { - "norms": false, - "type": "text" - }, - "exception_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "invocation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "level_id": { - "type": "long" - }, - "message": { - "norms": false, - "type": "text" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "process_id": { - "type": "long" - }, - "role_instance": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "graphactivity": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "graphactivitylogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "billed_size": { - "type": "long" - }, - "client_auth_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "type": "object" - }, - "scopes": { - "type": "object" - }, - "service_principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sign_in_activity": { - "ignore_above": 1024, - "type": "keyword" - }, - "sign_in_activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_generated": { - "type": "date" - }, - "token_issued_at": { - "type": "date" - }, - "wids": { - "type": "object" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "identity": { - "properties": { - "properties": { - "properties": { - "metric_response_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_key": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "requester": { - "properties": { - "app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "audience": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "token_issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "upn": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "identity_authorization": { - "type": "object" - }, - "identityprotection": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "activity": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_datetime": { - "type": "date" - }, - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_deleted": { - "type": "boolean" - }, - "is_guest": { - "type": "boolean" - }, - "is_processing": { - "type": "boolean" - }, - "last_updated_datetime": { - "type": "date" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_last_updated_datetime": { - "type": "date" - }, - "risk_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "token_issuer_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "metrics": { - "properties": { - "Egress": { - "properties": { - "total": { - "type": "long" - } - } - }, - "Ingress": { - "properties": { - "total": { - "type": "long" - } - } - }, - "SuccessE2ELatency": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "SuccessServerLatency": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "Transactions": { - "properties": { - "total": { - "type": "long" - } - } - }, - "document_quota": { - "properties": { - "total": { - "type": "long" - } - } - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "open_ai": { - "properties": { - "active_tokens": { - "properties": { - "total": { - "type": "long" - } - } - }, - "asset_identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_tokens_cache_match_rate": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "deployment_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - }, - "fine_tuned_training_hours": { - "properties": { - "total": { - "type": "long" - } - } - }, - "generated_tokens": { - "properties": { - "total": { - "type": "long" - } - } - }, - "is_request_success": { - "type": "boolean" - }, - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "processed_prompt_tokens": { - "properties": { - "total": { - "type": "long" - } - } - }, - "properties": { - "properties": { - "api_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "api_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "api_revision": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_request_body": { - "type": "object" - }, - "backend_response_body": { - "type": "object" - }, - "backend_response_code": { - "type": "long" - }, - "backend_time": { - "type": "long" - }, - "backend_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "cache": { - "ignore_above": 1024, - "type": "keyword" - }, - "model_deployment_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "model_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "model_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "object_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_time": { - "type": "long" - }, - "response_time": { - "type": "long" - }, - "stream_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provisioned_managed_utilization_v2": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "requests": { - "properties": { - "total": { - "type": "long" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "sku": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant": { - "ignore_above": 1024, - "type": "keyword" - }, - "time_to_response": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "token_transaction": { - "properties": { - "total": { - "type": "long" - } - } - }, - "truncated": { - "type": "long" - } - } - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platformlogs": { - "properties": { - "activity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "caller": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "ccpnamespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "cloud": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_time_string": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "auth_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "log": { - "ignore_above": 1024, - "type": "keyword" - }, - "masked_ipaddress": { - "type": "ip" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "pod": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "raw": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_size": { - "ignore_above": 1024, - "type": "keyword" - }, - "response_size": { - "ignore_above": 1024, - "type": "keyword" - }, - "sdk_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "stream": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscription_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "scaleunit": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provisioning": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_datetime": { - "type": "date" - }, - "change_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "cycle_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration_ms": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiated_by": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "job_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "modified_properties": { - "type": "object" - }, - "provisioning_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "provisioning_status_info": { - "properties": { - "error_information": { - "properties": { - "additional_details": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "recommended_action": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provisioning_steps": { - "properties": { - "provisioning_step_type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "service_principal": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source_identity": { - "properties": { - "details": { - "properties": { - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - } + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" } } - }, - "source_system": { - "properties": { - "details": { - "properties": { - "application_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dervice_principal_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_id": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "target_identity": { - "properties": { - "details": { - "properties": { - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" } - }, - "target_system": { - "properties": { - "details": { - "properties": { - "application_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dervice_principal_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_id": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "authorization_rule": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "tags": { - "type": "object" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "signinlogs": { - "properties": { - "caller_ip_address": { - "type": "ip" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "app_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "applied_conditional_access_policies": { - "type": "object" - }, - "authentication_details": { - "type": "object" - }, - "authentication_processing_details": { - "type": "object" - }, - "authentication_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_requirement": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_requirement_policies": { - "type": "object" - }, - "autonomous_system_number": { - "type": "long" - }, - "client_app_used": { - "ignore_above": 1024, - "type": "keyword" - }, - "conditional_access_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "cross_tenant_access_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_detail": { - "properties": { - "browser": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_compliant": { - "type": "boolean" - }, - "is_managed": { - "type": "boolean" - }, - "operating_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "trust_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flagged_for_review": { - "type": "boolean" - }, - "home_tenant_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "incoming_token_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_interactive": { - "type": "boolean" - }, - "is_tenant_restricted": { - "type": "boolean" - }, - "original_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "processing_time_in_ms": { - "type": "long" - }, - "resource_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_tenant_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_level_aggregated": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_level_during_signIn": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_principal_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "properties": { - "error_code": { - "type": "long" - } - } - }, - "token_issuer_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "unique_token_identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principal_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "springcloudlogs": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_format": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "properties": { - "properties": { - "app_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "stream": { - "ignore_above": 1024, - "type": "keyword" - }, - "thread": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result_signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "storage": { - "properties": { - "account_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "conditions_used": { - "ignore_above": 1024, - "type": "keyword" - }, - "container": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_length_header": { - "type": "long" - }, - "duration": { - "properties": { - "ms": { - "type": "long" - } - } - }, - "etag": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_modified_time": { - "type": "date" - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation_count": { - "type": "long" - }, - "request_header_size": { - "type": "long" - }, - "request_md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "response_header_size": { - "type": "long" - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server_latency": { - "properties": { - "ms": { - "type": "long" - } - } - }, - "server_md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "service_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_text": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "storage_account": { - "properties": { - "availability": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "used_capacity": { - "properties": { - "avg": { - "type": "long" } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "subscription_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "timegrain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "azure": { + "properties": { + "activitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - } - }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "event_category": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "metricset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "period": { - "type": "long" - } - } - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" - } - }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "identity": { + "properties": { + "authorization": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "evidence": { + "properties": { + "principal_id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "principal_type": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "role": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "role_assignment_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_assignment_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "role_definition_id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "scope": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "claims": { + "type": "object" + }, + "claims_initiated_by_user_fullname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "type": "long" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_properties_cause": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "app_service": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "container_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_ip_address": { + "type": "ip" + }, + "event_primary_stamp_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_stamp_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_stamp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "client_ip": { + "type": "ip" + }, + "client_port": { + "type": "long" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_bytes": { + "type": "long" + }, + "cs_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_uri_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_uri_stem": { + "ignore_above": 1024, + "type": "keyword" + }, + "cs_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "details": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "referer": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "s_port": { + "ignore_above": 1024, + "type": "keyword" + }, + "sc_bytes": { + "type": "long" + }, + "sc_status": { + "type": "long" + }, + "sc_substatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "sc_win32status": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_generated": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_taken": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "xazurefdid": { + "ignore_above": 1024, + "type": "keyword" + }, + "xfdhealth_probe": { + "ignore_above": 1024, + "type": "keyword" + }, + "xforwarded_for": { + "ignore_above": 1024, + "type": "keyword" + }, + "xforwarded_host": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application_gateway": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "application_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "auditlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "type": "long" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity_datetime": { + "type": "date" + }, + "activity_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_details": { + "type": "object" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "app": { + "properties": { + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" + "user": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipaddress": { + "type": "ip" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "logged_by_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_resources": { + "type": "object" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "compute_vm": { + "properties": { + "disk_read_bytes": { + "properties": { + "total": { + "type": "float" + } + } + }, + "inbound_flows_maximum_creation_rate": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "network_in": { + "properties": { + "total": { + "type": "long" + } + } + }, + "network_in_total": { + "properties": { + "total": { + "type": "long" + } + } + }, + "outbound_flows_maximum_creation_rate": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "percentage_cpu": { + "properties": { + "avg": { + "type": "float" + } + } + } + } + }, + "compute_vm_scaleset": { + "properties": { + "cpu_credits_consumed": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "cpu_credits_remaining": { + "properties": { + "avg": { + "type": "long" + } + } + } + } + }, + "container_instance": { + "properties": { + "network_bytes_received_per_second": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "network_bytes_transmitted_per_second": { + "properties": { + "avg": { + "type": "long" + } + } + } + } + }, + "container_registry": { + "properties": { + "agent_pool_cpu_time": { + "properties": { + "total": { + "type": "long" + } + } + }, + "run_duration": { + "properties": { + "total": { + "type": "long" + } + } + }, + "storage_used": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "successful_pull_count": { + "properties": { + "total": { + "type": "long" + } + } + }, + "successful_push_count": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total_pull_count": { + "properties": { + "total": { + "type": "long" + } + } + }, + "total_push_count": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "container_service": { + "properties": { + "kube_node_status_allocatable_cpu_cores": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "kube_node_status_allocatable_memory_bytes": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "kube_node_status_condition": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "kube_pod_status_phase": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "kube_pod_status_ready": { + "properties": { + "avg": { + "type": "long" + } + } + } + } + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "database_account": { + "properties": { + "availability": { + "properties": { + "avg": { + "type": "float" + } + } + }, + "data_usage_storage": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "mongo_requests_count": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "dimensions": { + "properties": { + "api_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication": { + "ignore_above": 1024, + "type": "keyword" + }, + "blob_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "closure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "command_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "database_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "feature_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_share": { + "ignore_above": 1024, + "type": "keyword" + }, + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "geolocation": { + "ignore_above": 1024, + "type": "keyword" + }, + "lun": { + "ignore_above": 1024, + "type": "keyword" + }, + "model_deployment_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "model_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "phase": { + "ignore_above": 1024, + "type": "keyword" + }, + "pod": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "tier": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "usage_channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual_machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "vmname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "firewall": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnssec_ok_bit": { + "type": "boolean" + }, + "edns0_buffer_size": { + "type": "long" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "properties": { + "request": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_explicit_proxy_request": { + "type": "boolean" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_scope_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_duration_sec": { + "type": "long" + }, + "request_size": { + "type": "long" + }, + "response_size": { + "type": "long" + }, + "rule_collection_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_category": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "properties": { + "app_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "type": "long" + }, + "event_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "exception_details": { + "norms": false, + "type": "text" + }, + "exception_message": { + "norms": false, + "type": "text" + }, + "exception_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "invocation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "level_id": { + "type": "long" + }, + "message": { + "norms": false, + "type": "text" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "process_id": { + "type": "long" + }, + "role_instance": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "graphactivity": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "graphactivitylogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "billed_size": { + "type": "long" + }, + "client_auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "type": "object" + }, + "scopes": { + "type": "object" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sign_in_activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sign_in_activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_generated": { + "type": "date" + }, + "token_issued_at": { + "type": "date" + }, + "wids": { + "type": "object" } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity": { + "properties": { + "properties": { + "properties": { + "metric_response_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_key": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "requester": { + "properties": { + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "audience": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "upn": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "identity_authorization": { + "type": "object" + }, + "identityprotection": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "activity": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_datetime": { + "type": "date" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_deleted": { + "type": "boolean" + }, + "is_guest": { + "type": "boolean" + }, + "is_processing": { + "type": "boolean" + }, + "last_updated_datetime": { + "type": "date" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_last_updated_datetime": { + "type": "date" + }, + "risk_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "metrics": { + "properties": { + "Egress": { + "properties": { + "total": { + "type": "long" + } + } + }, + "Ingress": { + "properties": { + "total": { + "type": "long" + } + } + }, + "SuccessE2ELatency": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "SuccessServerLatency": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "Transactions": { + "properties": { + "total": { + "type": "long" + } + } + }, + "document_quota": { + "properties": { + "total": { + "type": "long" + } + } + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "open_ai": { + "properties": { + "active_tokens": { + "properties": { + "total": { + "type": "long" + } + } + }, + "asset_identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_tokens_cache_match_rate": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "deployment_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "fine_tuned_training_hours": { + "properties": { + "total": { + "type": "long" + } + } + }, + "generated_tokens": { + "properties": { + "total": { + "type": "long" + } + } + }, + "is_request_success": { + "type": "boolean" + }, + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "processed_prompt_tokens": { + "properties": { + "total": { + "type": "long" + } + } + }, + "properties": { + "properties": { + "api_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "api_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "api_revision": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_request_body": { + "type": "object" + }, + "backend_response_body": { + "type": "object" + }, + "backend_response_code": { + "type": "long" + }, + "backend_time": { + "type": "long" + }, + "backend_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache": { + "ignore_above": 1024, + "type": "keyword" + }, + "model_deployment_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "model_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "model_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "object_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_time": { + "type": "long" + }, + "response_time": { + "type": "long" + }, + "stream_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provisioned_managed_utilization_v2": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "requests": { + "properties": { + "total": { + "type": "long" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "sku": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant": { + "ignore_above": 1024, + "type": "keyword" + }, + "time_to_response": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "token_transaction": { + "properties": { + "total": { + "type": "long" + } + } + }, + "truncated": { + "type": "long" + } + } + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platformlogs": { + "properties": { + "activity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "caller": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "ccpnamespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "cloud": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_time_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "auth_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "log": { + "ignore_above": 1024, + "type": "keyword" + }, + "masked_ipaddress": { + "type": "ip" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "pod": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "raw": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "sdk_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "scaleunit": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provisioning": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_datetime": { + "type": "date" + }, + "change_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "cycle_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration_ms": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_by": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "job_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "modified_properties": { + "type": "object" + }, + "provisioning_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "provisioning_status_info": { + "properties": { + "error_information": { + "properties": { + "additional_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "recommended_action": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" + "status": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "provisioning_steps": { + "properties": { + "provisioning_step_type": { + "ignore_above": 1024, + "type": "keyword" } }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "service_principal": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source_identity": { + "properties": { + "details": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source_system": { + "properties": { + "details": { + "properties": { + "application_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dervice_principal_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + } }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target_identity": { + "properties": { + "details": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + } }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target_system": { + "properties": { + "details": { + "properties": { + "application_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dervice_principal_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + } }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "authorization_rule": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "tags": { + "type": "object" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "signinlogs": { + "properties": { + "caller_ip_address": { + "type": "ip" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "applied_conditional_access_policies": { + "type": "object" + }, + "authentication_details": { + "type": "object" + }, + "authentication_processing_details": { + "type": "object" + }, + "authentication_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_requirement": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_requirement_policies": { + "type": "object" + }, + "autonomous_system_number": { + "type": "long" + }, + "client_app_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditional_access_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cross_tenant_access_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_detail": { + "properties": { + "browser": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_compliant": { + "type": "boolean" + }, + "is_managed": { + "type": "boolean" + }, + "operating_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "trust_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flagged_for_review": { + "type": "boolean" + }, + "home_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "incoming_token_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_interactive": { + "type": "boolean" + }, + "is_tenant_restricted": { + "type": "boolean" + }, + "original_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "processing_time_in_ms": { + "type": "long" + }, + "resource_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_aggregated": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_level_during_signIn": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "error_code": { + "type": "long" + } + } + }, + "token_issuer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "unique_token_identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principal_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "springcloudlogs": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_format": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "properties": { + "properties": { + "app_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "stream": { + "ignore_above": 1024, + "type": "keyword" + }, + "thread": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result_signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "storage": { + "properties": { + "account_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditions_used": { + "ignore_above": 1024, + "type": "keyword" + }, + "container": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_length_header": { + "type": "long" + }, + "duration": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "etag": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_modified_time": { + "type": "date" + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation_count": { + "type": "long" + }, + "request_header_size": { + "type": "long" + }, + "request_md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "response_header_size": { + "type": "long" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server_latency": { + "properties": { + "ms": { + "type": "long" + } + } + }, + "server_md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "service_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "storage_account": { + "properties": { + "availability": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "used_capacity": { + "properties": { + "avg": { + "type": "long" + } + } + } + } + }, + "subscription_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timegrain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "metricset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "period": { + "type": "long" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 10, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 3000, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-azure" } } diff --git a/plugins/setup/src/main/resources/templates/streams/cloud-services-gcp.json b/plugins/setup/src/main/resources/templates/streams/cloud-services-gcp.json index 6fe62b34..e4581581 100644 --- a/plugins/setup/src/main/resources/templates/streams/cloud-services-gcp.json +++ b/plugins/setup/src/main/resources/templates/streams/cloud-services-gcp.json @@ -1,9885 +1,9888 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-gcp-*" + "wazuh-events-v5-cloud-services-gcp*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 10, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 100, + "mapping.total_fields.limit": 3000, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-gcp" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "type": "object" } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gcp_audit": { - "properties": { - "actor": { - "properties": { - "entity_id": { - "type": "nested" - } - } - }, - "authenticationinfo": { - "properties": { - "principalsubject": { - "ignore_above": 1024, - "type": "keyword" - }, - "serviceaccountdelegationinfo": { - "type": "nested" - }, - "serviceaccountkeyname": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "authorizationinfo": { - "type": "nested" - }, - "event_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "type": "object" - }, - "metadata": { - "properties": { - "@type": { - "ignore_above": 1024, - "type": "keyword" - }, - "accessLevels": { - "ignore_above": 1024, - "type": "keyword" - }, - "identityDelegationChain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingressViolations": { - "type": "nested" - }, - "operationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "resourceNames": { - "ignore_above": 1024, - "type": "keyword" - }, - "securityPolicyInfo": { - "properties": { - "organizationId": { - "ignore_above": 1024, - "type": "keyword" - }, - "servicePerimeterName": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usedResources": { - "properties": { - "attachedDisks": { - "type": "nested" - } - } - }, - "violationReason": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpcServiceControlsUniqueId": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "numresponseitems": { - "type": "long" - }, - "operation": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "orgpolicyviolationinfo": { - "properties": { - "payload": { - "properties": { - "key1": { - "ignore_above": 1024, - "type": "keyword" - }, - "key2": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resourcetags": { - "properties": { - "instance_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "related": { - "properties": { - "entity": { - "type": "nested" - } - } - }, - "request": { - "properties": { - "@type": { - "ignore_above": 1024, - "type": "keyword" - }, - "apiVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "disks": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "guestOsFeatures": { - "type": "nested" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "machineType": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "creationTimestamp": { - "type": "date" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "networkInterfaces": { - "type": "nested" - }, - "pageSize": { - "ignore_above": 1024, - "type": "keyword" - }, - "page_token": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy": { - "properties": { - "bindings": { - "type": "nested" - }, - "etag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policyvalue": { - "ignore_above": 1024, - "type": "keyword" - }, - "rawDisk": { - "properties": { - "source": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "ignore_above": 1024, - "type": "keyword" - }, - "resourceName": { - "ignore_above": 1024, - "type": "keyword" - }, - "serviceAccounts": { - "type": "nested" - }, - "sourceType": { - "ignore_above": 1024, - "type": "keyword" - }, - "spec": { - "properties": { - "group": { - "type": "nested" - }, - "nonResourceAttributes": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "verb": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "strategy": { - "properties": { - "$retainKeys": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "template": { - "properties": { - "spec": { - "type": "object" - } - } - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "status": { - "properties": { - "allowed": { - "type": "boolean" - } - } - } - } - }, - "resourcelocation": { - "properties": { - "currentlocation": { - "type": "nested" - } - } - }, - "resourcename": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "properties": { - "@type": { - "ignore_above": 1024, - "type": "keyword" - }, - "apiVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "bindings": { - "type": "nested" - }, - "details": { - "properties": { - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "etag": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "insertTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "metadata": { - "properties": { - "annotations": { - "type": "object" - }, - "creationTimestamp": { - "type": "date" - }, - "generation": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "type": "object" - }, - "managedFields": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "resourceVersion": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "operationType": { - "ignore_above": 1024, - "type": "keyword" - }, - "progress": { - "ignore_above": 1024, - "type": "keyword" - }, - "selfLink": { - "ignore_above": 1024, - "type": "keyword" - }, - "selfLinkWithId": { - "ignore_above": 1024, - "type": "keyword" - }, - "spec": { - "properties": { - "group": { - "type": "nested" - }, - "nonResourceAttributes": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "verb": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "progressDeadlineSeconds": { - "ignore_above": 1024, - "type": "keyword" - }, - "replicas": { - "ignore_above": 1024, - "type": "keyword" - }, - "revisionHistoryLimit": { - "ignore_above": 1024, - "type": "keyword" - }, - "selector": { - "properties": { - "matchLabels": { - "properties": { - "k8s-app": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "strategy": { - "properties": { - "rollingUpdate": { - "properties": { - "maxSurge": { - "ignore_above": 1024, - "type": "keyword" - }, - "maxUnavailable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "template": { - "properties": { - "metadata": { - "properties": { - "annotations": { - "type": "object" - }, - "creationTimestamp": { - "type": "date" - }, - "labels": { - "properties": { - "k8s-app": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "spec": { - "properties": { - "containers": { - "type": "nested" - }, - "dnsPolicy": { - "ignore_above": 1024, - "type": "keyword" - }, - "nodeSelector": { - "type": "object" - }, - "priorityClassName": { - "ignore_above": 1024, - "type": "keyword" - }, - "restartPolicy": { - "ignore_above": 1024, - "type": "keyword" - }, - "schedulerName": { - "ignore_above": 1024, - "type": "keyword" - }, - "securityContext": { - "properties": { - "fsGroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "runAsGroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "runAsUser": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serviceAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "serviceAccountName": { - "ignore_above": 1024, - "type": "keyword" - }, - "terminationGracePeriodSeconds": { - "ignore_above": 1024, - "type": "keyword" - }, - "tolerations": { - "type": "nested" - }, - "topologySpreadConstraints": { - "type": "nested" - }, - "volumes": { - "type": "nested" - } - } - } - } - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "startTime": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "properties": { - "allowed": { - "type": "boolean" - }, - "availableReplicas": { - "ignore_above": 1024, - "type": "keyword" - }, - "conditions": { - "type": "nested" - }, - "observedGeneration": { - "ignore_above": 1024, - "type": "keyword" - }, - "readyReplicas": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "replicas": { - "ignore_above": 1024, - "type": "keyword" - }, - "updatedReplicas": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "statusvalue": { - "ignore_above": 1024, - "type": "keyword" - }, - "targetId": { - "ignore_above": 1024, - "type": "keyword" - }, - "targetLink": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "servicename": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "properties": { - "code": { - "type": "long" - }, - "details": { - "type": "nested" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "entity_id": { - "type": "nested" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "gcp_compute": { - "properties": { - "event_module": { - "ignore_above": 1024, - "type": "keyword" - }, - "labels": { - "properties": { - "user": { - "properties": { - "goog-gke-node": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "metrics": { - "properties": { - "firewall": { - "properties": { - "dropped": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "dropped_packets_count": { - "properties": { - "value": { - "type": "long" - } - } - } - } - }, - "instance": { - "properties": { - "cpu": { - "properties": { - "reserved_cores": { - "properties": { - "value": { - "type": "long" - } - } - }, - "usage": { - "properties": { - "pct": { - "type": "float" - } - } - }, - "usage_time": { - "properties": { - "sec": { - "type": "float" - } - } - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "read_ops_count": { - "properties": { - "value": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write_ops_count": { - "properties": { - "value": { - "type": "long" - } - } - } - } - }, - "memory": { - "properties": { - "balloon": { - "properties": { - "ram_size": { - "properties": { - "value": { - "type": "long" - } - } - }, - "ram_used": { - "properties": { - "value": { - "type": "long" - } - } - }, - "swap_in": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "swap_out": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - } - } - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "properties": { - "count": { - "type": "long" - } - } - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "packets": { - "properties": { - "count": { - "type": "long" - } - } - } - } - } - } - }, - "uptime": { - "properties": { - "sec": { - "type": "float" - } - } - }, - "uptime_total": { - "properties": { - "sec": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - } - } - }, - "gcp_dns": { - "properties": { - "authanswer": { - "type": "boolean" - }, - "destinationIP": { - "ignore_above": 1024, - "type": "keyword" - }, - "egresserror": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "queryname": { - "ignore_above": 1024, - "type": "keyword" - }, - "querytype": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "responsecode": { - "ignore_above": 1024, - "type": "keyword" - }, - "serverlatency": { - "type": "long" - }, - "source_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourceip": { - "ignore_above": 1024, - "type": "keyword" - }, - "sourcenetwork": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vminstanceid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vminstancename": { - "ignore_above": 1024, - "type": "keyword" - }, - "vmprojectid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vmzonename": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "gcp_firewall": { - "properties": { - "destinationinstance": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destinationvpc": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnetwork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule_details": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_port_info": { - "type": "nested" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_range": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "gcp_loadbalancer": { - "properties": { - "backend_service_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cacheHit": { - "type": "boolean" - }, - "cacheId": { - "ignore_above": 1024, - "type": "keyword" - }, - "cacheLookup": { - "type": "boolean" - }, - "forwarding_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "statusDetails": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_proxy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url_map_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "gcp_vpcflow": { - "properties": { - "dest_instance": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dest_vpc": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnetwork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "reporter": { - "ignore_above": 1024, - "type": "keyword" - }, - "rtt_msec": { - "type": "long" - }, - "src_instance": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "src_vpc": { - "properties": { - "project_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnetwork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpc_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "google_scc": { - "properties": { - "asset": { - "properties": { - "access_policy": { - "properties": { - "create_time": { - "type": "date" - }, - "etag": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "update_time": { - "type": "date" - } - } - }, - "ancestors": { - "type": "nested" - }, - "asset_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "iam_policy": { - "properties": { - "bindings": { - "type": "nested" - }, - "etag": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "type": "long" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "org_policy": { - "type": "nested" - }, - "os_inventory": { - "properties": { - "items": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_info": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel_release": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "long_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "osconfigagent_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "short_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "update_time": { - "type": "date" - } - } - }, - "prior": { - "properties": { - "ancestors": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "data": { - "properties": { - "analyticsEnabled": { - "type": "boolean" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "lifecycleState": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "retentionDays": { - "type": "long" - } - } - }, - "discovery": { - "properties": { - "document_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "update_time": { - "type": "date" - } - } - }, - "prior_asset_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "related_asset": { - "properties": { - "ancestors": { - "type": "nested" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "relationship_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "data": { - "norms": false, - "type": "text" - }, - "discovery": { - "properties": { - "document_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "discovery_document_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "discovery_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "update_time": { - "type": "date" - }, - "window": { - "properties": { - "start_time": { - "type": "date" - } - } - } - } - }, - "finding": { - "properties": { - "access": { - "properties": { - "caller_ip": { - "type": "ip" - }, - "caller_ip_geo": { - "properties": { - "region_code": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "method_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "principal": { - "properties": { - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service_account": { - "properties": { - "key_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "service_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "canonical_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "compliances": { - "type": "nested" - }, - "contacts": { - "type": "object" - }, - "create_time": { - "type": "date" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_time": { - "type": "date" - }, - "external_systems": { - "type": "object" - }, - "external_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "kubernetes": { - "type": "object" - }, - "log_entries": { - "type": "nested" - }, - "mitre_attack": { - "type": "object" - }, - "mute": { - "properties": { - "initiator": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "update_time": { - "type": "date" - } - } - }, - "mute_info": { - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "next_steps": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "type": "object" - }, - "resource_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_marks": { - "type": "object" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_properties": { - "type": "object" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "vulnerability": { - "type": "object" - } - } - }, - "source": { - "properties": { - "canonical_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" } } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "metricset": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "period": { - "type": "long" - } - } - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "mime_type": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "size": { + "type": "long" } } - }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } } }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "result": { - "properties": { - "evaluation": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gcp_audit": { + "properties": { + "actor": { + "properties": { + "entity_id": { + "type": "nested" + } + } + }, + "authenticationinfo": { + "properties": { + "principalsubject": { + "ignore_above": 1024, + "type": "keyword" + }, + "serviceaccountdelegationinfo": { + "type": "nested" + }, + "serviceaccountkeyname": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "authorizationinfo": { + "type": "nested" + }, + "event_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "type": "object" + }, + "metadata": { + "properties": { + "@type": { + "ignore_above": 1024, + "type": "keyword" + }, + "accessLevels": { + "ignore_above": 1024, + "type": "keyword" + }, + "identityDelegationChain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingressViolations": { + "type": "nested" + }, + "operationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "resourceNames": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityPolicyInfo": { + "properties": { + "organizationId": { + "ignore_above": 1024, + "type": "keyword" + }, + "servicePerimeterName": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usedResources": { + "properties": { + "attachedDisks": { + "type": "nested" + } + } + }, + "violationReason": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpcServiceControlsUniqueId": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "numresponseitems": { + "type": "long" + }, + "operation": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orgpolicyviolationinfo": { + "properties": { + "payload": { + "properties": { + "key1": { + "ignore_above": 1024, + "type": "keyword" + }, + "key2": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resourcetags": { + "properties": { + "instance_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "related": { + "properties": { + "entity": { + "type": "nested" + } + } + }, + "request": { + "properties": { + "@type": { + "ignore_above": 1024, + "type": "keyword" + }, + "apiVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "disks": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "guestOsFeatures": { + "type": "nested" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "machineType": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "creationTimestamp": { + "type": "date" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "networkInterfaces": { + "type": "nested" + }, + "pageSize": { + "ignore_above": 1024, + "type": "keyword" + }, + "page_token": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "properties": { + "bindings": { + "type": "nested" + }, + "etag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policyvalue": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawDisk": { + "properties": { + "source": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "ignore_above": 1024, + "type": "keyword" + }, + "resourceName": { + "ignore_above": 1024, + "type": "keyword" + }, + "serviceAccounts": { + "type": "nested" + }, + "sourceType": { + "ignore_above": 1024, + "type": "keyword" + }, + "spec": { + "properties": { + "group": { + "type": "nested" + }, + "nonResourceAttributes": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "verb": { + "ignore_above": 1024, + "type": "keyword" } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "strategy": { + "properties": { + "$retainKeys": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "template": { + "properties": { + "spec": { + "type": "object" + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "status": { + "properties": { + "allowed": { + "type": "boolean" + } + } + } + } + }, + "resourcelocation": { + "properties": { + "currentlocation": { + "type": "nested" + } + } + }, + "resourcename": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "@type": { + "ignore_above": 1024, + "type": "keyword" + }, + "apiVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "bindings": { + "type": "nested" + }, + "details": { + "properties": { + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "etag": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "insertTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "metadata": { + "properties": { + "annotations": { + "type": "object" + }, + "creationTimestamp": { + "type": "date" + }, + "generation": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "type": "object" + }, + "managedFields": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "resourceVersion": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "operationType": { + "ignore_above": 1024, + "type": "keyword" + }, + "progress": { + "ignore_above": 1024, + "type": "keyword" + }, + "selfLink": { + "ignore_above": 1024, + "type": "keyword" + }, + "selfLinkWithId": { + "ignore_above": 1024, + "type": "keyword" + }, + "spec": { + "properties": { + "group": { + "type": "nested" + }, + "nonResourceAttributes": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "verb": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "progressDeadlineSeconds": { + "ignore_above": 1024, + "type": "keyword" + }, + "replicas": { + "ignore_above": 1024, + "type": "keyword" + }, + "revisionHistoryLimit": { + "ignore_above": 1024, + "type": "keyword" + }, + "selector": { + "properties": { + "matchLabels": { + "properties": { + "k8s-app": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "strategy": { + "properties": { + "rollingUpdate": { + "properties": { + "maxSurge": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "maxUnavailable": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "template": { + "properties": { + "metadata": { + "properties": { + "annotations": { + "type": "object" + }, + "creationTimestamp": { + "type": "date" + }, + "labels": { + "properties": { + "k8s-app": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" + "spec": { + "properties": { + "containers": { + "type": "nested" + }, + "dnsPolicy": { + "ignore_above": 1024, + "type": "keyword" + }, + "nodeSelector": { + "type": "object" + }, + "priorityClassName": { + "ignore_above": 1024, + "type": "keyword" + }, + "restartPolicy": { + "ignore_above": 1024, + "type": "keyword" + }, + "schedulerName": { + "ignore_above": 1024, + "type": "keyword" + }, + "securityContext": { + "properties": { + "fsGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "runAsGroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "runAsUser": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serviceAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "serviceAccountName": { + "ignore_above": 1024, + "type": "keyword" + }, + "terminationGracePeriodSeconds": { + "ignore_above": 1024, + "type": "keyword" + }, + "tolerations": { + "type": "nested" + }, + "topologySpreadConstraints": { + "type": "nested" + }, + "volumes": { + "type": "nested" + } + } + } + } + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "startTime": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "allowed": { + "type": "boolean" + }, + "availableReplicas": { + "ignore_above": 1024, + "type": "keyword" + }, + "conditions": { + "type": "nested" + }, + "observedGeneration": { + "ignore_above": 1024, + "type": "keyword" + }, + "readyReplicas": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "replicas": { + "ignore_above": 1024, + "type": "keyword" + }, + "updatedReplicas": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "statusvalue": { + "ignore_above": 1024, + "type": "keyword" + }, + "targetId": { + "ignore_above": 1024, + "type": "keyword" + }, + "targetLink": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "servicename": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "properties": { + "code": { + "type": "long" + }, + "details": { + "type": "nested" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "entity_id": { + "type": "nested" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gcp_compute": { + "properties": { + "event_module": { + "ignore_above": 1024, + "type": "keyword" + }, + "labels": { + "properties": { + "user": { + "properties": { + "goog-gke-node": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "metrics": { + "properties": { + "firewall": { + "properties": { + "dropped": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "dropped_packets_count": { + "properties": { + "value": { + "type": "long" + } } } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + } + }, + "instance": { + "properties": { + "cpu": { + "properties": { + "reserved_cores": { + "properties": { + "value": { + "type": "long" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "usage": { + "properties": { + "pct": { + "type": "float" + } + } + }, + "usage_time": { + "properties": { + "sec": { + "type": "float" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "read_ops_count": { + "properties": { + "value": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write_ops_count": { + "properties": { + "value": { + "type": "long" + } } } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "memory": { + "properties": { + "balloon": { + "properties": { + "ram_size": { + "properties": { + "value": { + "type": "long" + } + } + }, + "ram_used": { + "properties": { + "value": { + "type": "long" + } + } + }, + "swap_in": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "swap_out": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + } + } + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "properties": { + "count": { + "type": "long" + } + } + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "properties": { + "count": { + "type": "long" + } + } + } + } + } + } + }, + "uptime": { + "properties": { + "sec": { + "type": "float" + } + } + }, + "uptime_total": { + "properties": { + "sec": { + "ignore_above": 1024, + "type": "keyword" + } } } } } + } + } + } + }, + "gcp_dns": { + "properties": { + "authanswer": { + "type": "boolean" + }, + "destinationIP": { + "ignore_above": 1024, + "type": "keyword" + }, + "egresserror": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "queryname": { + "ignore_above": 1024, + "type": "keyword" + }, + "querytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "responsecode": { + "ignore_above": 1024, + "type": "keyword" + }, + "serverlatency": { + "type": "long" + }, + "source_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourceip": { + "ignore_above": 1024, + "type": "keyword" + }, + "sourcenetwork": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vminstanceid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vminstancename": { + "ignore_above": 1024, + "type": "keyword" + }, + "vmprojectid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vmzonename": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gcp_firewall": { + "properties": { + "destinationinstance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destinationvpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_details": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_port_info": { + "type": "nested" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_range": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gcp_loadbalancer": { + "properties": { + "backend_service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cacheHit": { + "type": "boolean" + }, + "cacheId": { + "ignore_above": 1024, + "type": "keyword" + }, + "cacheLookup": { + "type": "boolean" + }, + "forwarding_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "statusDetails": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_proxy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_map_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gcp_vpcflow": { + "properties": { + "dest_instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dest_vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "reporter": { + "ignore_above": 1024, + "type": "keyword" + }, + "rtt_msec": { + "type": "long" + }, + "src_instance": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src_vpc": { + "properties": { + "project_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnetwork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpc_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "google_scc": { + "properties": { + "asset": { + "properties": { + "access_policy": { + "properties": { + "create_time": { + "type": "date" + }, + "etag": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "update_time": { + "type": "date" + } + } + }, + "ancestors": { + "type": "nested" + }, + "asset_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "iam_policy": { + "properties": { + "bindings": { + "type": "nested" + }, + "etag": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "type": "long" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "org_policy": { + "type": "nested" + }, + "os_inventory": { + "properties": { + "items": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_info": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel_release": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "long_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "osconfigagent_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "short_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "update_time": { + "type": "date" + } + } + }, + "prior": { + "properties": { + "ancestors": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "data": { + "properties": { + "analyticsEnabled": { + "type": "boolean" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "lifecycleState": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "retentionDays": { + "type": "long" + } + } + }, + "discovery": { + "properties": { + "document_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "update_time": { + "type": "date" + } + } + }, + "prior_asset_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_asset": { + "properties": { + "ancestors": { + "type": "nested" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "relationship_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "data": { + "norms": false, + "type": "text" + }, + "discovery": { + "properties": { + "document_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "discovery_document_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "discovery_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "update_time": { + "type": "date" + }, + "window": { + "properties": { + "start_time": { + "type": "date" + } + } + } + } + }, + "finding": { + "properties": { + "access": { + "properties": { + "caller_ip": { + "type": "ip" + }, + "caller_ip_geo": { + "properties": { + "region_code": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "method_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "principal": { + "properties": { + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_account": { + "properties": { + "key_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "service_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "canonical_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "compliances": { + "type": "nested" + }, + "contacts": { + "type": "object" + }, + "create_time": { + "type": "date" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_time": { + "type": "date" + }, + "external_systems": { + "type": "object" + }, + "external_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "kubernetes": { + "type": "object" + }, + "log_entries": { + "type": "nested" + }, + "mitre_attack": { + "type": "object" + }, + "mute": { + "properties": { + "initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "update_time": { + "type": "date" + } + } + }, + "mute_info": { + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "next_steps": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "type": "object" + }, + "resource_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_marks": { + "type": "object" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_properties": { + "type": "object" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vulnerability": { + "type": "object" + } + } + }, + "source": { + "properties": { + "canonical_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } }, - "first_seen": { - "type": "date" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "metricset": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "period": { + "type": "long" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "modified_at": { - "type": "date" + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "not_after": { - "type": "date" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } }, - "not_before": { - "type": "date" + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "country": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "locality": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" } } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resource": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "result": { + "properties": { + "evaluation": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } + }, + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 10, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 100, - "mapping.total_fields.limit": 3000, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services-gcp" } } diff --git a/plugins/setup/src/main/resources/templates/streams/cloud-services.json b/plugins/setup/src/main/resources/templates/streams/cloud-services.json index d12e471e..a9698ab5 100644 --- a/plugins/setup/src/main/resources/templates/streams/cloud-services.json +++ b/plugins/setup/src/main/resources/templates/streams/cloud-services.json @@ -1,8491 +1,8494 @@ { "index_patterns": [ - "wazuh-events-v5-cloud-services-*" + "wazuh-events-v5-cloud-services*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "type": "object" } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cisco": { - "properties": { - "umbrella": { - "properties": { - "amp_disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "amp_malware_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "amp_score": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit": { - "properties": { - "after": { - "type": "nested" - }, - "after_values": { - "type": "object" - }, - "before": { - "type": "nested" - }, - "before_values": { - "type": "object" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "av_detections": { - "ignore_above": 1024, - "type": "keyword" - }, - "blocked_categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_errors": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "cves": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "data_identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "datacenter": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_lists_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_label": { - "ignore_above": 1024, - "type": "keyword" - }, - "fqdns": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "identities": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "isolate_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "puas": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha_sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sid": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_list_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "warn_status": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + }, + "cisco": { + "properties": { + "umbrella": { + "properties": { + "amp_disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_malware_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "amp_score": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit": { + "properties": { + "after": { + "type": "nested" + }, + "after_values": { + "type": "object" + }, + "before": { + "type": "nested" + }, + "before_values": { + "type": "object" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" + "av_detections": { + "ignore_above": 1024, + "type": "keyword" + }, + "blocked_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_errors": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "cves": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "data_identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "datacenter": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_lists_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_label": { + "ignore_above": 1024, + "type": "keyword" + }, + "fqdns": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "identities": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "isolate_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "puas": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha_sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_list_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "warn_status": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "role": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 2500, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-cloud-services" } } diff --git a/plugins/setup/src/main/resources/templates/streams/network-activity.json b/plugins/setup/src/main/resources/templates/streams/network-activity.json index 03a468db..f6e5ea78 100644 --- a/plugins/setup/src/main/resources/templates/streams/network-activity.json +++ b/plugins/setup/src/main/resources/templates/streams/network-activity.json @@ -1,13825 +1,13828 @@ { "index_patterns": [ - "wazuh-events-v5-network-activity-*" + "wazuh-events-v5-network-activity*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 4000, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-network-activity" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "checkpoint": { - "properties": { - "action_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "action_reason_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "administrator": { - "ignore_above": 1024, - "type": "keyword" - }, - "aggregated_log_count": { - "ignore_above": 1024, - "type": "keyword" - }, - "alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_risk": { - "type": "long" - }, - "app_rule_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_method2": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_build": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_ipe": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "comment": { - "ignore_above": 1024, - "type": "keyword" - }, - "community": { - "ignore_above": 1024, - "type": "keyword" - }, - "confidence_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "conn_direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_count": { - "ignore_above": 1024, - "type": "keyword" - }, - "context_num": { - "ignore_above": 1024, - "type": "keyword" - }, - "contract_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "control_log_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cp_component_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "cp_component_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvpn_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "db_ver": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_device_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "description_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_identification": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlp_incident_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_domain_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "elapsed": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "failed_login_factor_num": { - "type": "long" - }, - "fieldschanges": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency": { - "ignore_above": 1024, - "type": "keyword" - }, - "fw_subproduct": { - "ignore_above": 1024, - "type": "keyword" - }, - "host_ip": { - "type": "ip" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_policy_acceleration": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_delay": { - "ignore_above": 1024, - "type": "keyword" - }, - "logic_changes": { - "ignore_above": 1024, - "type": "keyword" - }, - "logid": { - "type": "long" - }, - "login_option": { - "ignore_above": 1024, - "type": "keyword" - }, - "login_timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "loguid": { - "ignore_above": 1024, - "type": "keyword" - }, - "machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware_family": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware_rule_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "malware_rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "match_id": { - "type": "long" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "methods": { - "ignore_above": 1024, - "type": "keyword" - }, - "more": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_addtnl_rulenum": { - "type": "long" - }, - "nat_rule_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat_rulenum": { - "type": "long" - }, - "objectname": { - "ignore_above": 1024, - "type": "keyword" - }, - "objecttype": { - "ignore_above": 1024, - "type": "keyword" - }, - "office_mode_ip": { - "type": "ip" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_number": { - "type": "long" - }, - "operation_result_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation_results": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_sic_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_bits": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_build": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_edition": { - "ignore_above": 1024, - "type": "keyword" - }, - "outzonlags": { - "ignore_above": 1024, - "type": "keyword" - }, - "package_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_capture_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_capture_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "packet_capture_unique_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent_rule": { - "type": "long" - }, - "peer_gateway": { - "type": "ip" - }, - "performance_impact": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "portal_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "precise_error": { - "ignore_above": 1024, - "type": "keyword" - }, - "protection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "protection_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "protection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy_src_ip": { - "type": "ip" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reject_id_kid": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "row_start": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "script_value_for_one_time_scripts": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_inzone": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_outzone": { - "ignore_above": 1024, - "type": "keyword" - }, - "sendtotrackerasadvancedauditlog": { - "ignore_above": 1024, - "type": "keyword" - }, - "ser_agent_kid": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_inbound_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_timeout": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "smartdefense_profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "snid": { - "ignore_above": 1024, - "type": "keyword" - }, - "special_properties": { - "ignore_above": 1024, - "type": "keyword" - }, - "sport_svc": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_user_dn": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "stormagentaction": { - "ignore_above": 1024, - "type": "keyword" - }, - "stormagentname": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "subs_exp": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscription_stat": { - "ignore_above": 1024, - "type": "keyword" - }, - "subscription_stat_desc": { - "ignore_above": 1024, - "type": "keyword" - }, - "suppressed_logs": { - "ignore_above": 1024, - "type": "keyword" - }, - "svc": { - "ignore_above": 1024, - "type": "keyword" - }, - "sys_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "syslog_severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "system_application": { - "ignore_above": 1024, - "type": "keyword" - }, - "task": { - "ignore_above": 1024, - "type": "keyword" - }, - "task_percent": { - "ignore_above": 1024, - "type": "keyword" - }, - "task_progress": { - "ignore_above": 1024, - "type": "keyword" - }, - "taskid": { - "ignore_above": 1024, - "type": "keyword" - }, - "tasktargetid": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_packet_out_of_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "time": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunnel_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "update_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_dn": { - "ignore_above": 1024, - "type": "keyword" - }, - "usercheck": { - "ignore_above": 1024, - "type": "keyword" - }, - "usercheck_confirmation_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "usercheck_interaction_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpn_featurename": { - "ignore_above": 1024, - "type": "keyword" - }, - "xlatedport_svc": { - "ignore_above": 1024, - "type": "keyword" - }, - "xlatesport_svc": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cisco": { - "properties": { - "asa": { - "properties": { - "aaa_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "assigned_ip": { - "type": "ip" - }, - "burst": { - "properties": { - "avg_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "configured_avg_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "configured_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "cumulative_count": { - "ignore_above": 1024, - "type": "keyword" - }, - "current_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "object": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line_arguments": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "connections_in_use": { - "type": "long" - }, - "connections_most_used": { - "type": "long" - }, - "dap_records": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_user_security_group_tag": { - "type": "long" - }, - "destination_user_security_group_tag_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "destination_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "group_policy": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_destination_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_destination_ip": { - "type": "ip" - }, - "mapped_destination_port": { - "type": "long" - }, - "mapped_source_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "mapped_source_ip": { - "type": "ip" - }, - "mapped_source_port": { - "type": "long" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_repeats": { - "type": "long" - }, - "original_iana_number": { - "type": "long" - }, - "peer_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "pool_address": { - "type": "ip" - }, - "pool_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "privilege": { - "properties": { - "new": { - "ignore_above": 1024, - "type": "keyword" - }, - "old": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "redundant_interface_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rejection_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_user_security_group_tag": { - "type": "long" - }, - "source_user_security_group_tag_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_username": { - "ignore_above": 1024, - "type": "keyword" - }, - "suffix": { - "ignore_above": 1024, - "type": "keyword" - }, - "termination_initiator": { - "ignore_above": 1024, - "type": "keyword" - }, - "termination_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "trustpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunnel_group": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunnel_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "webvpn": { - "properties": { - "group_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "eapol": { - "properties": { - "descriptor": { - "type": "long" - }, - "type": { - "type": "long" - }, - "version": { - "type": "long" - } - } - }, - "interface": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ios": { - "properties": { - "access_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "message_count": { - "type": "long" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "pim": { - "properties": { - "group": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "source": { - "properties": { - "ip": { - "type": "ip" + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "object" - }, - "session": { - "properties": { - "number": { - "type": "integer" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "tableid": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } } }, - "type": "object" - }, - "meraki": { - "properties": { - "aid": { - "ignore_above": 1024, - "type": "keyword" - }, - "alertData": { - "properties": { - "connection": { - "ignore_above": 1024, - "type": "keyword" - }, - "local": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "alertId": { - "ignore_above": 1024, - "type": "keyword" - }, - "alertType": { - "ignore_above": 1024, - "type": "keyword" - }, - "alertTypeId": { - "ignore_above": 1024, - "type": "keyword" - }, - "anyconnect_vpn_session_manager": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes_in": { - "type": "long" - }, - "bytes_out": { - "type": "long" - }, - "conn_id": { - "type": "long" - }, - "duration": { - "ignore_above": 1024, - "type": "keyword" - }, - "filter": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "peer_ip": { - "type": "ip" - }, - "peer_port": { - "type": "long" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "type": "long" - }, - "session_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunnel_id": { - "type": "float" - }, - "tunnel_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "apple_da_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "arp_resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "arp_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_neg_dur": { - "type": "float" - }, - "band": { - "ignore_above": 1024, - "type": "keyword" - }, - "best_ap": { - "ignore_above": 1024, - "type": "keyword" - }, - "best_ap_load": { - "type": "long" - }, - "best_ap_rssi": { - "type": "long" - }, - "bssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "type": "long" - }, - "connectivity": { - "ignore_above": 1024, - "type": "keyword" - }, - "da_vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "details": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceTags": { - "ignore_above": 1024, - "type": "keyword" - }, - "deviceUrl": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_lease_completed": { - "type": "float" - }, - "dhcp_resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "disposition": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_req_rtt": { - "type": "float" - }, - "dns_resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_server": { - "type": "ip" - }, - "download": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "float" - }, - "event_subtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fc_subtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "fc_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "firewall": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "pattern": { - "ignore_above": 1024, - "type": "keyword" - }, - "rule": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "flows": { - "properties": { - "op": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "full_conn": { - "type": "float" - }, - "http_resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "identity": { - "ignore_above": 1024, - "type": "keyword" - }, - "instigator": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_8021x": { - "type": "long" - }, - "is_wpa": { - "type": "long" - }, - "last_auth_ago": { - "type": "float" - }, - "load": { - "type": "long" - }, - "mxport": { - "ignore_above": 1024, - "type": "keyword" - }, - "networkId": { - "ignore_above": 1024, - "type": "keyword" - }, - "networkTags": { - "ignore_above": 1024, - "type": "keyword" - }, - "networkUrl": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_port_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurredAt": { - "type": "date" - }, - "old_port_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizationUrl": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_contact": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_ident": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "radio": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "rssi": { - "type": "long" - }, - "security": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "decision": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhost": { - "ignore_above": 1024, - "type": "keyword" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "sentAt": { - "type": "date" - }, - "server_ip": { - "type": "ip" - }, - "server_mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "sharedSecret": { - "ignore_above": 1024, - "type": "keyword" - }, - "site_to_site_vpn": { - "properties": { - "raw": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "src": { - "ignore_above": 1024, - "type": "keyword" - }, - "summary": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "upload": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "vap": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "type": "long" - }, - "vpn_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "wired_mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "wired_vlan": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "wps": { - "properties": { - "channel": { - "type": "long" - }, - "hits": { - "type": "long" - }, - "preced": { - "type": "long" - }, - "slot": { - "type": "long" - }, - "track": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - } - } - } + "condition": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "f5_bigip": { - "properties": { - "log": { - "properties": { - "abandoned_conns": { - "type": "long" - }, - "accept_fails": { - "type": "long" - }, - "accepts": { - "type": "long" - }, - "access": { - "properties": { - "policy_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "acl": { - "properties": { - "policy": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "active_conns": { - "type": "long" - }, - "actual_mitigation_action": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "additional_bot_signatures": { - "ignore_above": 1024, - "type": "keyword" - }, - "afm_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "aggr_interval": { - "type": "long" - }, - "anomalies": { - "ignore_above": 1024, - "type": "keyword" - }, - "anomaly_categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "apm_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "application": { - "properties": { - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "properties": { - "max_time": { - "type": "long" - }, - "min_time": { - "type": "long" - }, - "time": { - "type": "long" - } - } - } - } - }, - "application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "asm_attack_signatures": { - "type": "object" - }, - "asm_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack": { - "properties": { - "count": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitigation_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vector_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bad_actor": { - "properties": { - "detection": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "drops": { - "type": "long" - }, - "events": { - "type": "long" - }, - "mitigation": { - "properties": { - "max": { - "type": "long" - }, - "min": { - "type": "long" - } - } - } - } - }, - "base_mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "bigip_management": { - "properties": { - "ip": { - "type": "ip" - }, - "ip2": { - "type": "ip" - }, - "ip_2": { - "type": "ip" - } - } - }, - "blocking_exception_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "bot_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "bot_signature": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "browser_actual_verification_action": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "browser_configured_verification_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "browser_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "browser_verification_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "bytes": { - "properties": { - "in": { - "type": "long" - }, - "out": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "callback_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "captcha_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "captcha_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "chassis_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "ip": { - "type": "ip" - }, - "ip_geo_location": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "latency": { - "properties": { - "hit_count": { - "type": "long" - }, - "max": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "port": { - "type": "long" - }, - "request_uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client_side": { - "properties": { - "network": { - "properties": { - "latency": { - "type": "long" - }, - "max_latency": { - "type": "long" - }, - "min_latency": { - "type": "long" - } - } - } - } - }, - "client_ttfb": { - "properties": { - "hit_count": { - "type": "long" - }, - "max": { - "type": "long" - }, - "min": { - "type": "long" - }, - "value": { - "type": "long" - } - } - }, - "compression_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "concurrent": { - "properties": { - "connections": { - "properties": { - "avg": { - "type": "long" - }, - "health": { - "type": "long" - }, - "max": { - "type": "long" - } - } - }, - "users": { - "properties": { - "max": { - "type": "long" - } - } - } - } - }, - "config_ready": { - "ignore_above": 1024, - "type": "keyword" - }, - "config_sync_succeeded": { - "type": "boolean" - }, - "configuration_date_time": { - "type": "date" - }, - "configured_mitigation_action": { - "properties": { - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "connections_performance": { - "properties": { - "activeSslClientConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "activeSslServerConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "blade1": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "blade2": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "clientAccepts": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "clientConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "clientConnects": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "connections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "httpRequests": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "newSslClientConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "newSslServerConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pvaClient": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pvaServer": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverNewConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverNewTcpConnections": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "context": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "continent": { - "ignore_above": 1024, - "type": "keyword" - }, - "conviction_traps": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu": { - "properties": { - "analysis_plane": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "avg": { - "type": "long" - }, - "control_plane": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "data_plane": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "health": { - "type": "long" - } - } - }, - "cpu_value": { - "type": "long" - }, - "credential_stuffing_lookup_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "date_time": { - "type": "date" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "dest": { - "properties": { - "fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "ipint_categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "vlan": { - "ignore_above": 1024, - "type": "keyword" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "detection": { - "properties": { - "avg": { - "type": "long" - } - } - }, - "device": { - "properties": { - "blade": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "device_id": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "diagnostics": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "cve_ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "header": { - "ignore_above": 1024, - "type": "keyword" - }, - "importance": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "solution": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "summary": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "properties": { - "fix": { - "type": "long" - }, - "maintenance": { - "type": "long" - }, - "major": { - "type": "long" - }, - "minor": { - "type": "long" - }, - "point": { - "type": "long" - } - } - } - }, - "type": "nested" - }, - "disk_latency": { - "type": "object" - }, - "disk_storage": { - "type": "object" - }, - "dos": { - "properties": { - "attack": { - "properties": { - "detection_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "latency": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tps": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "baseline": { - "properties": { - "latency": { - "ignore_above": 1024, - "type": "keyword" - }, - "tps": { - "ignore_above": 1024, - "type": "keyword" - }, - "traffic_percent": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "current_traffic_percent": { - "ignore_above": 1024, - "type": "keyword" - }, - "dropped_requests_count": { - "type": "long" - }, - "incoming_requests_count": { - "type": "long" - }, - "mobile_app": { - "properties": { - "client_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "display_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "profile_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dos_detection": { - "properties": { - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "threshold": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dos_mitigate_to_threshold": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_mitigation": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "threshold": { - "type": "long" - } - } - }, - "drop_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst": { - "properties": { - "geo": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "enforced_by": { - "ignore_above": 1024, - "type": "keyword" - }, - "enforcement_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity": { - "ignore_above": 1024, - "type": "keyword" - }, - "eoc": { - "properties": { - "timestamp": { - "type": "date" - } - } - }, - "epoch_time": { - "type": "date" - }, - "errdefs": { - "properties": { - "msg_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgno": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "timestamp": { - "type": "date" - } - } - }, - "events": { - "properties": { - "total": { - "type": "long" - } - } - }, - "expired_conns": { - "type": "long" - }, - "extra_fields": { - "properties": { - "support_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "failed_conns": { - "type": "long" - }, - "failover_color": { - "ignore_above": 1024, - "type": "keyword" - }, - "failover_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "flow": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "info": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "global_bigiq_conf": { - "ignore_above": 1024, - "type": "keyword" - }, - "gtm_config_time": { - "type": "date" - }, - "hardware_drops": { - "type": "long" - }, - "headers": { - "ignore_above": 1024, - "type": "keyword" - }, - "hit_count": { - "type": "long" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "cache_control": { - "ignore_above": 1024, - "type": "keyword" - }, - "class_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection": { - "ignore_above": 1024, - "type": "keyword" - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "other_headers": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pragma": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol_indication": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_host": { - "type": "ip" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "human_behaviour": { - "ignore_above": 1024, - "type": "keyword" - }, - "hw": { - "properties": { - "cookie_valid": { - "type": "long" - } - } - }, - "imei": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_address_intelligence": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_reputation": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_with_route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_attacking_ip": { - "type": "boolean" - }, - "is_internal_activity": { - "type": "boolean" - }, - "is_mobile_device": { - "type": "boolean" - }, - "is_truncated": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_trunct": { - "ignore_above": 1024, - "type": "keyword" - }, - "jailbroken_or_rooted_device": { - "ignore_above": 1024, - "type": "keyword" - }, - "last_afm_deploy": { - "type": "date" - }, - "last_asm_change": { - "type": "date" - }, - "latency_histogram": { - "ignore_above": 1024, - "type": "keyword" - }, - "license_ready": { - "ignore_above": 1024, - "type": "keyword" - }, - "likely_false_positive_sig_ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "listener": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "login_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "ltm_config_time": { - "type": "date" - }, - "machine_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "management": { - "properties": { - "ip_address": { - "type": "ip" - }, - "ip_address_2": { - "type": "ip" - } - } - }, - "marketing_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "max_active_conns": { - "type": "long" - }, - "memory": { - "properties": { - "avg": { - "type": "long" - }, - "health": { - "type": "long" - } - } - }, - "memory_value": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mgmt_ip": { - "type": "ip" - }, - "micro_service": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "matched_wildcard_url": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "microservice": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitigation": { - "properties": { - "max": { - "type": "long" - }, - "min": { - "type": "long" - } - } - }, - "mobile_application": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mobile_in_emulation_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mobile_is_app": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "network_interfaces": { - "type": "object" - }, - "new_conns": { - "type": "long" - }, - "new_request_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "type": "ip" - }, - "node_port": { - "type": "long" - }, - "object_tags_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "osname": { - "ignore_above": 1024, - "type": "keyword" - }, - "partition": { - "ignore_above": 1024, - "type": "keyword" - }, - "partition_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "password_hash_prefix": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "policy": { - "properties": { - "apply_date": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pool": { - "properties": { - "ip": { - "type": "ip" - }, - "ip_route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - } - } - }, - "previous": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "initiated_action": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request_date_time": { - "type": "date" - }, - "requests_status": { - "type": "date" - }, - "support_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "profile": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "profile_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "provision_ready": { - "ignore_above": 1024, - "type": "keyword" - }, - "provisioning": { - "type": "object" - }, - "query": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sam_account_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_principle_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reported_entity_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "reputation": { - "ignore_above": 1024, - "type": "keyword" - }, - "req": { - "properties": { - "elapsed_time": { - "type": "long" - }, - "start_time": { - "type": "date" - } - } - }, - "request": { - "properties": { - "accept": { - "ignore_above": 1024, - "type": "keyword" - }, - "cache_control": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection": { - "ignore_above": 1024, - "type": "keyword" - }, - "date_time": { - "type": "date" - }, - "detail": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "duration_hit_count": { - "type": "long" - }, - "host": { - "ignore_above": 1024, - "type": "keyword" - }, - "max_duration": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "min_duration": { - "type": "long" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_agent": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_forwarded_for": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request_date_time": { - "type": "date" - }, - "request_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "res": { - "properties": { - "start_time": { - "type": "date" - } - } - }, - "resp": { - "ignore_above": 1024, - "type": "keyword" - }, - "response": { - "properties": { - "code": { - "type": "long" - }, - "duration": { - "type": "long" - }, - "duration_hit_count": { - "type": "long" - }, - "max_duration": { - "type": "long" - }, - "min_duration": { - "type": "long" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "rxbad_cookie": { - "type": "long" - }, - "rxbadseg": { - "type": "long" - }, - "rxbadsum": { - "type": "long" - }, - "rxcookie": { - "type": "long" - }, - "rxooseg": { - "type": "long" - }, - "rxrst": { - "type": "long" - }, - "sa_translation": { - "properties": { - "pool": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "send_to_vs": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "properties": { - "hit_count": { - "type": "long" - }, - "ip": { - "type": "ip" - }, - "latency": { - "properties": { - "max": { - "type": "long" - }, - "min": { - "type": "long" - }, - "total": { - "type": "long" - } - } - } - } - }, - "server_side": { - "properties": { - "network": { - "properties": { - "latency": { - "type": "long" - }, - "max_latency": { - "type": "long" - }, - "min_latency": { - "type": "long" - } - } - } - } - }, - "session": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sig": { - "properties": { - "cves": { - "ignore_above": 1024, - "type": "keyword" - }, - "ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "names": { - "ignore_above": 1024, - "type": "keyword" - }, - "set_names": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "slot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "number": { - "type": "long" - } - } - }, - "sndpack": { - "type": "long" - }, - "software_drops": { - "type": "long" - }, - "sos": { - "properties": { - "application_response_time": { - "type": "long" - }, - "client_side_network_latency": { - "type": "long" - }, - "client_ttfb": { - "type": "long" - }, - "request_duration": { - "type": "long" - }, - "response_duration": { - "type": "long" - }, - "server_side_network_latency": { - "type": "long" - } - } - }, - "source": { - "properties": { - "fqdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "ip_route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipint_categories": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_group": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "src": { - "properties": { - "geo": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "staged": { - "properties": { - "sig": { - "properties": { - "cves": { - "ignore_above": 1024, - "type": "keyword" - }, - "ids": { - "ignore_above": 1024, - "type": "keyword" - }, - "names": { - "ignore_above": 1024, - "type": "keyword" - }, - "set_names": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat_campaign_names": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "stat_src": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "sub_violations": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnet": { - "properties": { - "ip": { - "type": "ip" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "route_domain": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "support": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "swap": { - "type": "long" - }, - "sync_color": { - "ignore_above": 1024, - "type": "keyword" - }, - "sync_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "sync_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "sync_summary": { - "ignore_above": 1024, - "type": "keyword" - }, - "syncacheover": { - "type": "long" - }, - "system": { - "properties": { - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ihealth_link": { - "ignore_above": 1024, - "type": "keyword" - }, - "qkview_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system_timestamp": { - "type": "date" - }, - "tap": { - "properties": { - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "requested_actions": { - "ignore_above": 1024, - "type": "keyword" - }, - "sent_token": { - "type": "long" - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vid": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tcp_prof": { - "ignore_above": 1024, - "type": "keyword" - }, - "telemetry": { - "properties": { - "event": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "timestamp": { - "type": "date" - } - } - }, - "telemetry_service_info": { - "properties": { - "cycle_end": { - "type": "date" - }, - "cycle_start": { - "type": "date" - }, - "polling_interval": { - "type": "long" - } - } - }, - "tenant": { - "ignore_above": 1024, - "type": "keyword" - }, - "threat_campaign_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "throughput": { - "properties": { - "avg": { - "type": "long" - }, - "health": { - "type": "long" - }, - "req_per_interval": { - "properties": { - "total": { - "type": "long" - } - } - }, - "req_per_sec": { - "properties": { - "max": { - "type": "long" - } - } - }, - "resp_per_interval": { - "properties": { - "total": { - "type": "long" - } - } - }, - "resp_per_sec": { - "properties": { - "max": { - "type": "long" - } - } - } - } - }, - "throughput_performance": { - "properties": { - "clientBitsIn": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "clientBitsOut": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "clientIn": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "clientOut": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "compression": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inBits": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inPackets": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "managementBitsIn": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "managementBitsOut": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "outBits": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "outPackets": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverBitsIn": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverBitsOut": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverIn": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serverOut": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serviceBits": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "servicePackets": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sslTps": { - "properties": { - "average": { - "type": "long" - }, - "current": { - "type": "long" - }, - "max": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "timestamp": { - "type": "date" - }, - "tmm_cpu": { - "type": "long" - }, - "tmm_memory": { - "type": "long" - }, - "tmm_traffic": { - "properties": { - "client_side_traffic": { - "properties": { - "bits_in": { - "type": "long" - }, - "bits_out": { - "type": "long" - } - } - }, - "server_side_traffic": { - "properties": { - "bits_in": { - "type": "long" - }, - "bits_out": { - "type": "long" - } - } - } - } - }, - "tps": { - "properties": { - "max": { - "type": "float" - } - } - }, - "transaction_outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "translated": { - "properties": { - "dest": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "ip_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "route_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "vlan": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "txrexmits": { - "type": "long" - }, - "unit_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "unit_hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "uri": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "sessions": { - "properties": { - "new_total": { - "type": "long" - } - } - } - } - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_build": { - "ignore_above": 1024, - "type": "keyword" - }, - "violate_details": { - "ignore_above": 1024, - "type": "keyword" - }, - "violation": { - "properties": { - "details": { - "ignore_above": 1024, - "type": "keyword" - }, - "rating": { - "type": "long" - } - } - }, - "violations": { - "ignore_above": 1024, - "type": "keyword" - }, - "vip": { - "ignore_above": 1024, - "type": "keyword" - }, - "virtual": { - "properties": { - "ip": { - "type": "ip" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "virtual_server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "virus_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "ignore_above": 1024, - "type": "keyword" - }, - "vs_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "web_application_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "websocket": { - "properties": { - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "wl_events": { - "type": "long" - }, - "x_forwarded_for_header_value": { - "type": "ip" - } - } - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "fortinet": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "addrgrp": { - "ignore_above": 1024, - "type": "keyword" - }, - "advpnsc": { - "ignore_above": 1024, - "type": "keyword" - }, - "age": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "alert": { - "ignore_above": 1024, - "type": "keyword" - }, - "analyticscksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "analyticssubmit": { - "ignore_above": 1024, - "type": "keyword" - }, - "apn": { - "ignore_above": 1024, - "type": "keyword" - }, - "app": { - "ignore_above": 1024, - "type": "keyword" - }, - "appact": { - "ignore_above": 1024, - "type": "keyword" - }, - "appid": { - "ignore_above": 1024, - "type": "keyword" - }, - "applist": { - "ignore_above": 1024, - "type": "keyword" - }, - "apprisk": { - "ignore_above": 1024, - "type": "keyword" - }, - "apscan": { - "ignore_above": 1024, - "type": "keyword" - }, - "apstatus": { - "ignore_above": 1024, - "type": "keyword" - }, - "aptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "assigned": { - "ignore_above": 1024, - "type": "keyword" - }, - "assignip": { - "ignore_above": 1024, - "type": "keyword" - }, - "attack": { - "ignore_above": 1024, - "type": "keyword" - }, - "attackid": { - "ignore_above": 1024, - "type": "keyword" - }, - "auditid": { - "type": "long" - }, - "auditreporttype": { - "ignore_above": 1024, - "type": "keyword" - }, - "auditscore": { - "ignore_above": 1024, - "type": "keyword" - }, - "audittime": { - "type": "long" - }, - "authmsg": { - "ignore_above": 1024, - "type": "keyword" - }, - "authproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "authserver": { - "ignore_above": 1024, - "type": "keyword" - }, - "bandwidth": { - "ignore_above": 1024, - "type": "keyword" - }, - "bibandwidth": { - "ignore_above": 1024, - "type": "keyword" - }, - "bssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "c_bytes": { - "type": "long" - }, - "c_ggsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "c_gsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "c_pkts": { - "type": "long" - }, - "c_sgsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "carrier": { - "ignore_above": 1024, - "type": "keyword" - }, - "cat": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgattr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgobj": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgpath": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfgtid": { - "ignore_above": 1024, - "type": "keyword" - }, - "cfseidaddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cggsn6": { - "ignore_above": 1024, - "type": "keyword" - }, - "cgsn6": { - "ignore_above": 1024, - "type": "keyword" - }, - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "channeltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "clashtunnelidx": { - "type": "long" - }, - "cldobjid": { - "ignore_above": 1024, - "type": "keyword" - }, - "clientip": { - "ignore_above": 1024, - "type": "keyword" - }, - "clustername": { - "ignore_above": 1024, - "type": "keyword" - }, - "connection_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "cookies": { - "ignore_above": 1024, - "type": "keyword" - }, - "core": { - "ignore_above": 1024, - "type": "keyword" - }, - "count": { - "type": "long" - }, - "countapp": { - "type": "long" - }, - "countav": { - "type": "long" - }, - "countcasb": { - "type": "long" - }, - "countcifs": { - "type": "long" - }, - "countdlp": { - "type": "long" - }, - "countdns": { - "type": "long" - }, - "countemail": { - "type": "long" - }, - "countff": { - "type": "long" - }, - "counticap": { - "type": "long" - }, - "countips": { - "type": "long" - }, - "countsctpf": { - "type": "long" - }, - "countssh": { - "type": "long" - }, - "countssl": { - "type": "long" - }, - "countwaf": { - "type": "long" - }, - "countweb": { - "type": "long" - }, - "cpaddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpaddr6": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpdladdr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpdladdr6": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpdlisraddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpdlisraddr6": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu": { - "type": "long" - }, - "cpuladdr": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpuladdr6": { - "ignore_above": 1024, - "type": "keyword" - }, - "craction": { - "type": "long" - }, - "criticalcount": { - "type": "long" - }, - "crlevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "crscore": { - "type": "long" - }, - "csgsn6": { - "ignore_above": 1024, - "type": "keyword" - }, - "deltabytes": { - "type": "long" - }, - "desc": { - "norms": false, - "type": "text" - }, - "detectionmethod": { - "ignore_above": 1024, - "type": "keyword" - }, - "devcategory": { - "ignore_above": 1024, - "type": "keyword" - }, - "devtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "disk": { - "type": "long" - }, - "disklograte": { - "type": "long" - }, - "dlpextra": { - "ignore_above": 1024, - "type": "keyword" - }, - "dlpfilteridx": { - "type": "long" - }, - "domainctrlauthstate": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainctrlauthtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainctrlprotocoltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "domainfilteridx": { - "type": "long" - }, - "dstcountry": { - "ignore_above": 1024, - "type": "keyword" - }, - "dsthwvendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstintfrole": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstreputation": { - "ignore_above": 1024, - "type": "keyword" - }, - "dstserver": { - "type": "long" - }, - "dstuuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "encryption": { - "ignore_above": 1024, - "type": "keyword" - }, - "end_usr_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "endusraddress6": { - "ignore_above": 1024, - "type": "keyword" - }, - "epoch": { - "type": "long" - }, - "fams_pause": { - "ignore_above": 1024, - "type": "keyword" - }, - "fazlograte": { - "type": "long" - }, - "fctemssn": { - "ignore_above": 1024, - "type": "keyword" - }, - "fctuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "filtercat": { - "ignore_above": 1024, - "type": "keyword" - }, - "filteridx": { - "type": "long" - }, - "filtername": { - "ignore_above": 1024, - "type": "keyword" - }, - "filtertype": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwardedfor": { - "ignore_above": 1024, - "type": "keyword" - }, - "freediskstorage": { - "type": "long" - }, - "from": { - "ignore_above": 1024, - "type": "keyword" - }, - "from4": { - "ignore_above": 1024, - "type": "keyword" - }, - "from6": { - "ignore_above": 1024, - "type": "keyword" - }, - "from_vcluster": { - "ignore_above": 1024, - "type": "keyword" - }, - "ha_group": { - "type": "long" - }, - "ha_prio": { - "ignore_above": 1024, - "type": "keyword" - }, - "ha_role": { - "ignore_above": 1024, - "type": "keyword" - }, - "handshake": { - "ignore_above": 1024, - "type": "keyword" - }, - "healthcheck": { - "ignore_above": 1024, - "type": "keyword" - }, - "highcount": { - "type": "long" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "httpcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "httpmethod": { - "ignore_above": 1024, - "type": "keyword" - }, - "iccid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmpcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmpid": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "ietype": { - "ignore_above": 1024, - "type": "keyword" - }, - "imei": { - "ignore_above": 1024, - "type": "keyword" - }, - "imsi": { - "ignore_above": 1024, - "type": "keyword" - }, - "inbandwidth": { - "ignore_above": 1024, - "type": "keyword" - }, - "incidentserialno": { - "type": "long" - }, - "infectedfilelevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "infectedfilesize": { - "type": "long" - }, - "init": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "jitter": { - "type": "long" - }, - "keysize": { - "type": "long" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "kxproto": { - "ignore_above": 1024, - "type": "keyword" - }, - "lanin": { - "type": "long" - }, - "lanout": { - "type": "long" - }, - "latency": { - "type": "long" - }, - "lease": { - "ignore_above": 1024, - "type": "keyword" - }, - "license_limit": { - "ignore_above": 1024, - "type": "keyword" - }, - "linked_nsapi": { - "ignore_above": 1024, - "type": "keyword" - }, - "live": { - "ignore_above": 1024, - "type": "keyword" - }, - "localdevcount": { - "type": "long" - }, - "login": { - "ignore_above": 1024, - "type": "keyword" - }, - "lowcount": { - "type": "long" - }, - "manuf": { - "ignore_above": 1024, - "type": "keyword" - }, - "masterdstmac": { - "ignore_above": 1024, - "type": "keyword" - }, - "mastersrcmac": { - "ignore_above": 1024, - "type": "keyword" - }, - "mediumcount": { - "type": "long" - }, - "mem": { - "type": "long" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "metric": { - "ignore_above": 1024, - "type": "keyword" - }, - "mitm": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "msg_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netid": { - "ignore_above": 1024, - "type": "keyword" - }, - "newchannel": { - "ignore_above": 1024, - "type": "keyword" - }, - "newslot": { - "ignore_above": 1024, - "type": "keyword" - }, - "newvalue": { - "ignore_above": 1024, - "type": "keyword" - }, - "nextstat": { - "ignore_above": 1024, - "type": "keyword" - }, - "noise": { - "ignore_above": 1024, - "type": "keyword" - }, - "nsapi": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocrlog": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldchannel": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldslot": { - "ignore_above": 1024, - "type": "keyword" - }, - "oldvalue": { - "ignore_above": 1024, - "type": "keyword" - }, - "onwire": { - "ignore_above": 1024, - "type": "keyword" - }, - "osname": { - "ignore_above": 1024, - "type": "keyword" - }, - "outbandwidth": { - "ignore_above": 1024, - "type": "keyword" - }, - "outintf": { - "ignore_above": 1024, - "type": "keyword" - }, - "packetloss": { - "ignore_above": 1024, - "type": "keyword" - }, - "passedcount": { - "type": "long" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_notif": { - "ignore_above": 1024, - "type": "keyword" - }, - "phonenumber": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "plan": { - "ignore_above": 1024, - "type": "keyword" - }, - "policymode": { - "ignore_above": 1024, - "type": "keyword" - }, - "policytype": { - "ignore_above": 1024, - "type": "keyword" - }, - "poluuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "prefetch": { - "type": "long" - }, - "processtime": { - "type": "long" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxyapptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "qtypeval": { - "type": "long" - }, - "quarskip": { - "ignore_above": 1024, - "type": "keyword" - }, - "quotamax": { - "type": "long" - }, - "quotaused": { - "type": "long" - }, - "radioband": { - "ignore_above": 1024, - "type": "keyword" - }, - "radioidclosest": { - "ignore_above": 1024, - "type": "keyword" - }, - "radioiddetected": { - "ignore_above": 1024, - "type": "keyword" - }, - "rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "rawdata": { - "ignore_above": 1024, - "type": "keyword" - }, - "rawdataid": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcode": { - "ignore_above": 1024, - "type": "keyword" - }, - "rcvddelta": { - "type": "long" - }, - "reqlength": { - "type": "long" - }, - "reqtime": { - "type": "long" - }, - "reqtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "respfinishtime": { - "type": "long" - }, - "resplength": { - "type": "long" - }, - "resptime": { - "type": "long" - }, - "resptype": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "rsptime": { - "type": "long" - }, - "rsrp": { - "ignore_above": 1024, - "type": "keyword" - }, - "rsrq": { - "ignore_above": 1024, - "type": "keyword" - }, - "rssi": { - "ignore_above": 1024, - "type": "keyword" - }, - "scantime": { - "type": "long" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "security": { - "ignore_above": 1024, - "type": "keyword" - }, - "sentdelta": { - "type": "long" - }, - "sentpkt": { - "type": "long" - }, - "seqnum": { - "type": "long" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "server": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sessionid": { - "ignore_above": 1024, - "type": "keyword" - }, - "setuprate": { - "type": "long" - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - }, - "signal": { - "ignore_above": 1024, - "type": "keyword" - }, - "signalstrength": { - "ignore_above": 1024, - "type": "keyword" - }, - "sinr": { - "ignore_above": 1024, - "type": "keyword" - }, - "ski": { - "ignore_above": 1024, - "type": "keyword" - }, - "slamap": { - "ignore_above": 1024, - "type": "keyword" - }, - "slatargetid": { - "ignore_above": 1024, - "type": "keyword" - }, - "slot": { - "type": "long" - }, - "sn": { - "ignore_above": 1024, - "type": "keyword" - }, - "snclosest": { - "ignore_above": 1024, - "type": "keyword" - }, - "sndetected": { - "ignore_above": 1024, - "type": "keyword" - }, - "srccountry": { - "ignore_above": 1024, - "type": "keyword" - }, - "srchwvendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcintfrole": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcname": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcreputation": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcserver": { - "type": "long" - }, - "srcswversion": { - "ignore_above": 1024, - "type": "keyword" - }, - "srcuuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssid": { - "ignore_above": 1024, - "type": "keyword" - }, - "stacount": { - "ignore_above": 1024, - "type": "keyword" - }, - "stage": { - "type": "long" - }, - "stamac": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "statuscode": { - "type": "long" - }, - "subtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "sysuptime": { - "type": "long" - }, - "temperature": { - "ignore_above": 1024, - "type": "keyword" - }, - "timeoutdelete": { - "type": "long" - }, - "timestamp": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "ignore_above": 1024, - "type": "keyword" - }, - "to4": { - "ignore_above": 1024, - "type": "keyword" - }, - "to6": { - "ignore_above": 1024, - "type": "keyword" - }, - "to_vcluster": { - "ignore_above": 1024, - "type": "keyword" - }, - "total": { - "type": "long" - }, - "totalsession": { - "type": "long" - }, - "trandisp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tranip": { - "ignore_above": 1024, - "type": "keyword" - }, - "tranport": { - "ignore_above": 1024, - "type": "keyword" - }, - "transid": { - "ignore_above": 1024, - "type": "keyword" - }, - "transip": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "trueclntip": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunnel_idx": { - "type": "long" - }, - "tunnelid": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunnelip": { - "ignore_above": 1024, - "type": "keyword" - }, - "tunneltype": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "u_bytes": { - "type": "long" - }, - "u_ggsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "u_gsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "u_pkts": { - "type": "long" - }, - "u_sgsn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ufseidaddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "uggsn6": { - "ignore_above": 1024, - "type": "keyword" - }, - "ugsn6": { - "ignore_above": 1024, - "type": "keyword" - }, - "ui": { - "ignore_above": 1024, - "type": "keyword" - }, - "ulimcc": { - "ignore_above": 1024, - "type": "keyword" - }, - "ulimnc": { - "ignore_above": 1024, - "type": "keyword" - }, - "unauthusersource": { - "ignore_above": 1024, - "type": "keyword" - }, - "unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "urlfilteridx": { - "type": "long" - }, - "used": { - "type": "long" - }, - "used_for_type": { - "type": "long" - }, - "usgsn6": { - "ignore_above": 1024, - "type": "keyword" - }, - "utmaction": { - "ignore_above": 1024, - "type": "keyword" - }, - "utmref": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "valid": { - "type": "long" - }, - "vcluster": { - "type": "long" - }, - "vcluster_member": { - "type": "long" - }, - "vcluster_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "vd": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "violatescore": { - "type": "long" - }, - "virus": { - "ignore_above": 1024, - "type": "keyword" - }, - "virusid": { - "ignore_above": 1024, - "type": "keyword" - }, - "voip_proto": { - "ignore_above": 1024, - "type": "keyword" - }, - "vpntunnel": { - "ignore_above": 1024, - "type": "keyword" - }, - "vwlid": { - "ignore_above": 1024, - "type": "keyword" - }, - "vwlquality": { - "ignore_above": 1024, - "type": "keyword" - }, - "wanin": { - "type": "long" - }, - "waninfo": { - "ignore_above": 1024, - "type": "keyword" - }, - "wanout": { - "type": "long" - }, - "wscode": { - "ignore_above": 1024, - "type": "keyword" - }, - "xauthgroup": { - "ignore_above": 1024, - "type": "keyword" - }, - "xauthuser": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } + "description": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" - } - }, - "type": "object" - } + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "icmp": { - "properties": { - "code": { - "type": "long" - }, - "type": { - "type": "long" } }, - "type": "object" - }, - "igmp": { - "properties": { - "type": { - "type": "long" + "checkpoint": { + "properties": { + "action_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "action_reason_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "administrator": { + "ignore_above": 1024, + "type": "keyword" + }, + "aggregated_log_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_risk": { + "type": "long" + }, + "app_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_method2": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_build": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "comment": { + "ignore_above": 1024, + "type": "keyword" + }, + "community": { + "ignore_above": 1024, + "type": "keyword" + }, + "confidence_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "conn_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "context_num": { + "ignore_above": 1024, + "type": "keyword" + }, + "contract_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "control_log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_component_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "cp_component_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvpn_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "db_ver": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_device_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "description_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_identification": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlp_incident_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_domain_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "elapsed": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "failed_login_factor_num": { + "type": "long" + }, + "fieldschanges": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency": { + "ignore_above": 1024, + "type": "keyword" + }, + "fw_subproduct": { + "ignore_above": 1024, + "type": "keyword" + }, + "host_ip": { + "type": "ip" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_policy_acceleration": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_delay": { + "ignore_above": 1024, + "type": "keyword" + }, + "logic_changes": { + "ignore_above": 1024, + "type": "keyword" + }, + "logid": { + "type": "long" + }, + "login_option": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "loguid": { + "ignore_above": 1024, + "type": "keyword" + }, + "machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_family": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "malware_rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_id": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "methods": { + "ignore_above": 1024, + "type": "keyword" + }, + "more": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_addtnl_rulenum": { + "type": "long" + }, + "nat_rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat_rulenum": { + "type": "long" + }, + "objectname": { + "ignore_above": 1024, + "type": "keyword" + }, + "objecttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "office_mode_ip": { + "type": "ip" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_number": { + "type": "long" + }, + "operation_result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation_results": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_sic_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_bits": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_build": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_edition": { + "ignore_above": 1024, + "type": "keyword" + }, + "outzonlags": { + "ignore_above": 1024, + "type": "keyword" + }, + "package_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_capture_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_capture_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "packet_capture_unique_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent_rule": { + "type": "long" + }, + "peer_gateway": { + "type": "ip" + }, + "performance_impact": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "portal_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "precise_error": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_src_ip": { + "type": "ip" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reject_id_kid": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "row_start": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "script_value_for_one_time_scripts": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_inzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_outzone": { + "ignore_above": 1024, + "type": "keyword" + }, + "sendtotrackerasadvancedauditlog": { + "ignore_above": 1024, + "type": "keyword" + }, + "ser_agent_kid": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_inbound_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_timeout": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "smartdefense_profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "snid": { + "ignore_above": 1024, + "type": "keyword" + }, + "special_properties": { + "ignore_above": 1024, + "type": "keyword" + }, + "sport_svc": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "stormagentaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "stormagentname": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "subs_exp": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscription_stat": { + "ignore_above": 1024, + "type": "keyword" + }, + "subscription_stat_desc": { + "ignore_above": 1024, + "type": "keyword" + }, + "suppressed_logs": { + "ignore_above": 1024, + "type": "keyword" + }, + "svc": { + "ignore_above": 1024, + "type": "keyword" + }, + "sys_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "syslog_severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "system_application": { + "ignore_above": 1024, + "type": "keyword" + }, + "task": { + "ignore_above": 1024, + "type": "keyword" + }, + "task_percent": { + "ignore_above": 1024, + "type": "keyword" + }, + "task_progress": { + "ignore_above": 1024, + "type": "keyword" + }, + "taskid": { + "ignore_above": 1024, + "type": "keyword" + }, + "tasktargetid": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_packet_out_of_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "time": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "update_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_dn": { + "ignore_above": 1024, + "type": "keyword" + }, + "usercheck": { + "ignore_above": 1024, + "type": "keyword" + }, + "usercheck_confirmation_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "usercheck_interaction_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpn_featurename": { + "ignore_above": 1024, + "type": "keyword" + }, + "xlatedport_svc": { + "ignore_above": 1024, + "type": "keyword" + }, + "xlatesport_svc": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "input": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "iptables": { - "properties": { - "ether_type": { - "type": "long" - }, - "flow_label": { - "type": "long" - }, - "fragment_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_code": { - "type": "long" - }, - "icmp_seq": { - "type": "long" - }, - "icmp_type": { - "type": "long" - }, - "id": { - "type": "long" - }, - "input_device": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "mark": { - "type": "long" - }, - "output_device": { - "ignore_above": 1024, - "type": "keyword" - }, - "precedence_bits": { - "type": "long" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_reserved_bits": { - "type": "long" - }, - "tcp_window": { - "type": "long" - }, - "tos": { - "type": "long" - }, - "ttl": { - "type": "long" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "cisco": { + "properties": { + "asa": { + "properties": { + "aaa_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned_ip": { + "type": "ip" + }, + "burst": { + "properties": { + "avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_avg_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "configured_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "cumulative_count": { + "ignore_above": 1024, + "type": "keyword" + }, + "current_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "object": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line_arguments": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "connections_in_use": { + "type": "long" + }, + "connections_most_used": { + "type": "long" + }, + "dap_records": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_user_security_group_tag": { + "type": "long" + }, + "destination_user_security_group_tag_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "destination_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "group_policy": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_destination_ip": { + "type": "ip" + }, + "mapped_destination_port": { + "type": "long" + }, + "mapped_source_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "mapped_source_ip": { + "type": "ip" + }, + "mapped_source_port": { + "type": "long" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_repeats": { + "type": "long" + }, + "original_iana_number": { + "type": "long" + }, + "peer_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "pool_address": { + "type": "ip" + }, + "pool_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "privilege": { + "properties": { + "new": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "redundant_interface_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rejection_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_user_security_group_tag": { + "type": "long" + }, + "source_user_security_group_tag_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_username": { + "ignore_above": 1024, + "type": "keyword" + }, + "suffix": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_initiator": { + "ignore_above": 1024, + "type": "keyword" + }, + "termination_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "trustpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_group": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "webvpn": { + "properties": { + "group_name": { + "ignore_above": 1024, + "type": "keyword" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "eapol": { + "properties": { + "descriptor": { + "type": "long" + }, + "type": { + "type": "long" + }, + "version": { + "type": "long" + } + } + }, + "interface": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ios": { + "properties": { + "access_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "message_count": { + "type": "long" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "pim": { + "properties": { + "group": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + } + }, + "type": "object" + }, + "session": { + "properties": { + "number": { + "type": "integer" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "tableid": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "meraki": { + "properties": { + "aid": { + "ignore_above": 1024, + "type": "keyword" + }, + "alertData": { + "properties": { + "connection": { + "ignore_above": 1024, + "type": "keyword" + }, + "local": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "alertId": { + "ignore_above": 1024, + "type": "keyword" + }, + "alertType": { + "ignore_above": 1024, + "type": "keyword" + }, + "alertTypeId": { + "ignore_above": 1024, + "type": "keyword" + }, + "anyconnect_vpn_session_manager": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes_in": { + "type": "long" + }, + "bytes_out": { + "type": "long" + }, + "conn_id": { + "type": "long" + }, + "duration": { + "ignore_above": 1024, + "type": "keyword" + }, + "filter": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "peer_ip": { + "type": "ip" + }, + "peer_port": { + "type": "long" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "type": "long" + }, + "session_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_id": { + "type": "float" + }, + "tunnel_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "apple_da_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "arp_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "arp_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_neg_dur": { + "type": "float" + }, + "band": { + "ignore_above": 1024, + "type": "keyword" + }, + "best_ap": { + "ignore_above": 1024, + "type": "keyword" + }, + "best_ap_load": { + "type": "long" + }, + "best_ap_rssi": { + "type": "long" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "type": "long" + }, + "connectivity": { + "ignore_above": 1024, + "type": "keyword" + }, + "da_vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "details": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceTags": { + "ignore_above": 1024, + "type": "keyword" + }, + "deviceUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_lease_completed": { + "type": "float" + }, + "dhcp_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "disposition": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_req_rtt": { + "type": "float" + }, + "dns_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_server": { + "type": "ip" + }, + "download": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "float" + }, + "event_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fc_subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "fc_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "firewall": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "pattern": { + "ignore_above": 1024, + "type": "keyword" + }, + "rule": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "flows": { + "properties": { + "op": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "full_conn": { + "type": "float" + }, + "http_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "identity": { + "ignore_above": 1024, + "type": "keyword" + }, + "instigator": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_8021x": { + "type": "long" + }, + "is_wpa": { + "type": "long" + }, + "last_auth_ago": { + "type": "float" + }, + "load": { + "type": "long" + }, + "mxport": { + "ignore_above": 1024, + "type": "keyword" + }, + "networkId": { + "ignore_above": 1024, + "type": "keyword" + }, + "networkTags": { + "ignore_above": 1024, + "type": "keyword" + }, + "networkUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_port_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurredAt": { + "type": "date" + }, + "old_port_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizationUrl": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_contact": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_ident": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "radio": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "type": "long" + }, + "security": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "decision": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhost": { + "ignore_above": 1024, + "type": "keyword" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "sentAt": { + "type": "date" + }, + "server_ip": { + "type": "ip" + }, + "server_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "sharedSecret": { + "ignore_above": 1024, + "type": "keyword" + }, + "site_to_site_vpn": { + "properties": { + "raw": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "src": { + "ignore_above": 1024, + "type": "keyword" + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "upload": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "vap": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "type": "long" + }, + "vpn_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "wired_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "wired_vlan": { + "type": "long" + } + }, + "type": "object" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "wps": { + "properties": { + "channel": { + "type": "long" + }, + "hits": { + "type": "long" + }, + "preced": { + "type": "long" + }, + "slot": { + "type": "long" + }, + "track": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "id": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "f5_bigip": { + "properties": { + "log": { + "properties": { + "abandoned_conns": { + "type": "long" + }, + "accept_fails": { + "type": "long" + }, + "accepts": { + "type": "long" + }, + "access": { + "properties": { + "policy_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "acl": { + "properties": { + "policy": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "active_conns": { + "type": "long" + }, + "actual_mitigation_action": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "additional_bot_signatures": { + "ignore_above": 1024, + "type": "keyword" + }, + "afm_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "aggr_interval": { + "type": "long" + }, + "anomalies": { + "ignore_above": 1024, + "type": "keyword" + }, + "anomaly_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "apm_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "application": { + "properties": { + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "max_time": { + "type": "long" + }, + "min_time": { + "type": "long" + }, + "time": { + "type": "long" + } + } + } + } + }, + "application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "asm_attack_signatures": { + "type": "object" + }, + "asm_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "properties": { + "count": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitigation_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vector_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bad_actor": { + "properties": { + "detection": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "drops": { + "type": "long" + }, + "events": { + "type": "long" + }, + "mitigation": { + "properties": { + "max": { + "type": "long" + }, + "min": { + "type": "long" + } + } + } + } + }, + "base_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "bigip_management": { + "properties": { + "ip": { + "type": "ip" + }, + "ip2": { + "type": "ip" + }, + "ip_2": { + "type": "ip" + } + } + }, + "blocking_exception_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "bot_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "bot_signature": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "browser_actual_verification_action": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "browser_configured_verification_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "browser_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "browser_verification_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "bytes": { + "properties": { + "in": { + "type": "long" + }, + "out": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "callback_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "captcha_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "captcha_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "chassis_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "ip": { + "type": "ip" + }, + "ip_geo_location": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "latency": { + "properties": { + "hit_count": { + "type": "long" + }, + "max": { + "type": "long" + }, + "total": { + "type": "long" + } + } + }, + "port": { + "type": "long" + }, + "request_uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client_side": { + "properties": { + "network": { + "properties": { + "latency": { + "type": "long" + }, + "max_latency": { + "type": "long" + }, + "min_latency": { + "type": "long" + } + } + } + } + }, + "client_ttfb": { + "properties": { + "hit_count": { + "type": "long" + }, + "max": { + "type": "long" + }, + "min": { + "type": "long" + }, + "value": { + "type": "long" + } + } + }, + "compression_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "concurrent": { + "properties": { + "connections": { + "properties": { + "avg": { + "type": "long" + }, + "health": { + "type": "long" + }, + "max": { + "type": "long" + } + } + }, + "users": { + "properties": { + "max": { + "type": "long" + } + } + } + } + }, + "config_ready": { + "ignore_above": 1024, + "type": "keyword" + }, + "config_sync_succeeded": { + "type": "boolean" + }, + "configuration_date_time": { + "type": "date" + }, + "configured_mitigation_action": { + "properties": { + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "connections_performance": { + "properties": { + "activeSslClientConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "activeSslServerConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "blade1": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "blade2": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "clientAccepts": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "clientConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "clientConnects": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "connections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "httpRequests": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "newSslClientConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "newSslServerConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pvaClient": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pvaServer": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverNewConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverNewTcpConnections": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "context": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "continent": { + "ignore_above": 1024, + "type": "keyword" + }, + "conviction_traps": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "properties": { + "analysis_plane": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "avg": { + "type": "long" + }, + "control_plane": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "data_plane": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "health": { + "type": "long" + } + } + }, + "cpu_value": { + "type": "long" + }, + "credential_stuffing_lookup_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "date_time": { + "type": "date" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "dest": { + "properties": { + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "ipint_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "detection": { + "properties": { + "avg": { + "type": "long" + } + } + }, + "device": { + "properties": { + "blade": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "device_id": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "diagnostics": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "cve_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "header": { + "ignore_above": 1024, + "type": "keyword" + }, + "importance": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "solution": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "properties": { + "fix": { + "type": "long" + }, + "maintenance": { + "type": "long" + }, + "major": { + "type": "long" + }, + "minor": { + "type": "long" + }, + "point": { + "type": "long" + } + } + } }, - "mtu": { - "type": "long" + "type": "nested" + }, + "disk_latency": { + "type": "object" + }, + "disk_storage": { + "type": "object" + }, + "dos": { + "properties": { + "attack": { + "properties": { + "detection_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "latency": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tps": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "baseline": { + "properties": { + "latency": { + "ignore_above": 1024, + "type": "keyword" + }, + "tps": { + "ignore_above": 1024, + "type": "keyword" + }, + "traffic_percent": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "current_traffic_percent": { + "ignore_above": 1024, + "type": "keyword" + }, + "dropped_requests_count": { + "type": "long" + }, + "incoming_requests_count": { + "type": "long" + }, + "mobile_app": { + "properties": { + "client_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "display_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dos_detection": { + "properties": { + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "threshold": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dos_mitigate_to_threshold": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_mitigation": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "threshold": { + "type": "long" + } + } + }, + "drop_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst": { + "properties": { + "geo": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "enforced_by": { + "ignore_above": 1024, + "type": "keyword" + }, + "enforcement_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity": { + "ignore_above": 1024, + "type": "keyword" + }, + "eoc": { + "properties": { + "timestamp": { + "type": "date" + } + } + }, + "epoch_time": { + "type": "date" + }, + "errdefs": { + "properties": { + "msg_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgno": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + } + } + }, + "events": { + "properties": { + "total": { + "type": "long" + } + } + }, + "expired_conns": { + "type": "long" + }, + "extra_fields": { + "properties": { + "support_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "failed_conns": { + "type": "long" + }, + "failover_color": { + "ignore_above": 1024, + "type": "keyword" + }, + "failover_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "flow": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "info": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "global_bigiq_conf": { + "ignore_above": 1024, + "type": "keyword" + }, + "gtm_config_time": { + "type": "date" + }, + "hardware_drops": { + "type": "long" + }, + "headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "hit_count": { + "type": "long" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "cache_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "class_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection": { + "ignore_above": 1024, + "type": "keyword" + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "other_headers": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pragma": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_indication": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_host": { + "type": "ip" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "human_behaviour": { + "ignore_above": 1024, + "type": "keyword" + }, + "hw": { + "properties": { + "cookie_valid": { + "type": "long" + } + } + }, + "imei": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_address_intelligence": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_reputation": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_with_route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_attacking_ip": { + "type": "boolean" + }, + "is_internal_activity": { + "type": "boolean" + }, + "is_mobile_device": { + "type": "boolean" + }, + "is_truncated": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_trunct": { + "ignore_above": 1024, + "type": "keyword" + }, + "jailbroken_or_rooted_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "last_afm_deploy": { + "type": "date" + }, + "last_asm_change": { + "type": "date" + }, + "latency_histogram": { + "ignore_above": 1024, + "type": "keyword" + }, + "license_ready": { + "ignore_above": 1024, + "type": "keyword" + }, + "likely_false_positive_sig_ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "listener": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "login_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "ltm_config_time": { + "type": "date" + }, + "machine_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "management": { + "properties": { + "ip_address": { + "type": "ip" + }, + "ip_address_2": { + "type": "ip" + } + } + }, + "marketing_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "max_active_conns": { + "type": "long" + }, + "memory": { + "properties": { + "avg": { + "type": "long" + }, + "health": { + "type": "long" + } + } + }, + "memory_value": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mgmt_ip": { + "type": "ip" + }, + "micro_service": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "matched_wildcard_url": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "microservice": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitigation": { + "properties": { + "max": { + "type": "long" + }, + "min": { + "type": "long" + } + } + }, + "mobile_application": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mobile_in_emulation_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mobile_is_app": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network_interfaces": { + "type": "object" + }, + "new_conns": { + "type": "long" + }, + "new_request_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "type": "ip" + }, + "node_port": { + "type": "long" + }, + "object_tags_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "partition": { + "ignore_above": 1024, + "type": "keyword" + }, + "partition_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "password_hash_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "policy": { + "properties": { + "apply_date": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pool": { + "properties": { + "ip": { + "type": "ip" + }, + "ip_route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + } + } + }, + "previous": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "initiated_action": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_date_time": { + "type": "date" + }, + "requests_status": { + "type": "date" + }, + "support_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "profile_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "provision_ready": { + "ignore_above": 1024, + "type": "keyword" + }, + "provisioning": { + "type": "object" + }, + "query": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sam_account_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_principle_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reported_entity_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "reputation": { + "ignore_above": 1024, + "type": "keyword" + }, + "req": { + "properties": { + "elapsed_time": { + "type": "long" + }, + "start_time": { + "type": "date" + } + } + }, + "request": { + "properties": { + "accept": { + "ignore_above": 1024, + "type": "keyword" + }, + "cache_control": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection": { + "ignore_above": 1024, + "type": "keyword" + }, + "date_time": { + "type": "date" + }, + "detail": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "duration_hit_count": { + "type": "long" + }, + "host": { + "ignore_above": 1024, + "type": "keyword" + }, + "max_duration": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "min_duration": { + "type": "long" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_agent": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_forwarded_for": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request_date_time": { + "type": "date" + }, + "request_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "res": { + "properties": { + "start_time": { + "type": "date" + } + } + }, + "resp": { + "ignore_above": 1024, + "type": "keyword" + }, + "response": { + "properties": { + "code": { + "type": "long" + }, + "duration": { + "type": "long" + }, + "duration_hit_count": { + "type": "long" + }, + "max_duration": { + "type": "long" + }, + "min_duration": { + "type": "long" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "rxbad_cookie": { + "type": "long" + }, + "rxbadseg": { + "type": "long" + }, + "rxbadsum": { + "type": "long" + }, + "rxcookie": { + "type": "long" + }, + "rxooseg": { + "type": "long" + }, + "rxrst": { + "type": "long" + }, + "sa_translation": { + "properties": { + "pool": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "send_to_vs": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "properties": { + "hit_count": { + "type": "long" + }, + "ip": { + "type": "ip" + }, + "latency": { + "properties": { + "max": { + "type": "long" + }, + "min": { + "type": "long" + }, + "total": { + "type": "long" + } + } + } + } + }, + "server_side": { + "properties": { + "network": { + "properties": { + "latency": { + "type": "long" + }, + "max_latency": { + "type": "long" + }, + "min_latency": { + "type": "long" + } + } + } + } + }, + "session": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sig": { + "properties": { + "cves": { + "ignore_above": 1024, + "type": "keyword" + }, + "ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "names": { + "ignore_above": 1024, + "type": "keyword" + }, + "set_names": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "slot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "number": { + "type": "long" + } + } + }, + "sndpack": { + "type": "long" + }, + "software_drops": { + "type": "long" + }, + "sos": { + "properties": { + "application_response_time": { + "type": "long" + }, + "client_side_network_latency": { + "type": "long" + }, + "client_ttfb": { + "type": "long" + }, + "request_duration": { + "type": "long" + }, + "response_duration": { + "type": "long" + }, + "server_side_network_latency": { + "type": "long" + } + } + }, + "source": { + "properties": { + "fqdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "ip_route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipint_categories": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_group": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "src": { + "properties": { + "geo": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "staged": { + "properties": { + "sig": { + "properties": { + "cves": { + "ignore_above": 1024, + "type": "keyword" + }, + "ids": { + "ignore_above": 1024, + "type": "keyword" + }, + "names": { + "ignore_above": 1024, + "type": "keyword" + }, + "set_names": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat_campaign_names": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "stat_src": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "sub_violations": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnet": { + "properties": { + "ip": { + "type": "ip" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "route_domain": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "support": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "swap": { + "type": "long" + }, + "sync_color": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "sync_summary": { + "ignore_above": 1024, + "type": "keyword" + }, + "syncacheover": { + "type": "long" + }, + "system": { + "properties": { + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ihealth_link": { + "ignore_above": 1024, + "type": "keyword" + }, + "qkview_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system_timestamp": { + "type": "date" + }, + "tap": { + "properties": { + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "requested_actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "sent_token": { + "type": "long" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vid": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tcp_prof": { + "ignore_above": 1024, + "type": "keyword" + }, + "telemetry": { + "properties": { + "event": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "timestamp": { + "type": "date" + } + } + }, + "telemetry_service_info": { + "properties": { + "cycle_end": { + "type": "date" + }, + "cycle_start": { + "type": "date" + }, + "polling_interval": { + "type": "long" + } + } + }, + "tenant": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat_campaign_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "throughput": { + "properties": { + "avg": { + "type": "long" + }, + "health": { + "type": "long" + }, + "req_per_interval": { + "properties": { + "total": { + "type": "long" + } + } + }, + "req_per_sec": { + "properties": { + "max": { + "type": "long" + } + } + }, + "resp_per_interval": { + "properties": { + "total": { + "type": "long" + } + } + }, + "resp_per_sec": { + "properties": { + "max": { + "type": "long" + } + } + } + } + }, + "throughput_performance": { + "properties": { + "clientBitsIn": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "clientBitsOut": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "clientIn": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "clientOut": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "compression": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inBits": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inPackets": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "managementBitsIn": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "managementBitsOut": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "outBits": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "outPackets": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverBitsIn": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverBitsOut": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverIn": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serverOut": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serviceBits": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "servicePackets": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sslTps": { + "properties": { + "average": { + "type": "long" + }, + "current": { + "type": "long" + }, + "max": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "timestamp": { + "type": "date" + }, + "tmm_cpu": { + "type": "long" + }, + "tmm_memory": { + "type": "long" + }, + "tmm_traffic": { + "properties": { + "client_side_traffic": { + "properties": { + "bits_in": { + "type": "long" + }, + "bits_out": { + "type": "long" + } + } + }, + "server_side_traffic": { + "properties": { + "bits_in": { + "type": "long" + }, + "bits_out": { + "type": "long" + } + } + } + } + }, + "tps": { + "properties": { + "max": { + "type": "float" + } + } + }, + "transaction_outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "translated": { + "properties": { + "dest": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "ip_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "route_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "vlan": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "txrexmits": { + "type": "long" + }, + "unit_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit_hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "uri": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessions": { + "properties": { + "new_total": { + "type": "long" + } + } + } + } + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_build": { + "ignore_above": 1024, + "type": "keyword" + }, + "violate_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "violation": { + "properties": { + "details": { + "ignore_above": 1024, + "type": "keyword" + }, + "rating": { + "type": "long" + } + } + }, + "violations": { + "ignore_above": 1024, + "type": "keyword" + }, + "vip": { + "ignore_above": 1024, + "type": "keyword" + }, + "virtual": { + "properties": { + "ip": { + "type": "ip" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "virtual_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "virus_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "ignore_above": 1024, + "type": "keyword" + }, + "vs_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "web_application_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "websocket": { + "properties": { + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wl_events": { + "type": "long" + }, + "x_forwarded_for_header_value": { + "type": "ip" + } + } + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "fortinet": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "addrgrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "advpnsc": { + "ignore_above": 1024, + "type": "keyword" + }, + "age": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "alert": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticscksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "analyticssubmit": { + "ignore_above": 1024, + "type": "keyword" + }, + "apn": { + "ignore_above": 1024, + "type": "keyword" + }, + "app": { + "ignore_above": 1024, + "type": "keyword" + }, + "appact": { + "ignore_above": 1024, + "type": "keyword" + }, + "appid": { + "ignore_above": 1024, + "type": "keyword" + }, + "applist": { + "ignore_above": 1024, + "type": "keyword" + }, + "apprisk": { + "ignore_above": 1024, + "type": "keyword" + }, + "apscan": { + "ignore_above": 1024, + "type": "keyword" + }, + "apstatus": { + "ignore_above": 1024, + "type": "keyword" + }, + "aptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "assigned": { + "ignore_above": 1024, + "type": "keyword" + }, + "assignip": { + "ignore_above": 1024, + "type": "keyword" + }, + "attack": { + "ignore_above": 1024, + "type": "keyword" + }, + "attackid": { + "ignore_above": 1024, + "type": "keyword" + }, + "auditid": { + "type": "long" + }, + "auditreporttype": { + "ignore_above": 1024, + "type": "keyword" + }, + "auditscore": { + "ignore_above": 1024, + "type": "keyword" + }, + "audittime": { + "type": "long" + }, + "authmsg": { + "ignore_above": 1024, + "type": "keyword" + }, + "authproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "authserver": { + "ignore_above": 1024, + "type": "keyword" + }, + "bandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "bibandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "bssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_bytes": { + "type": "long" + }, + "c_ggsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_gsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "c_pkts": { + "type": "long" + }, + "c_sgsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "carrier": { + "ignore_above": 1024, + "type": "keyword" + }, + "cat": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgattr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgobj": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgpath": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfgtid": { + "ignore_above": 1024, + "type": "keyword" + }, + "cfseidaddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cggsn6": { + "ignore_above": 1024, + "type": "keyword" + }, + "cgsn6": { + "ignore_above": 1024, + "type": "keyword" + }, + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "channeltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "clashtunnelidx": { + "type": "long" + }, + "cldobjid": { + "ignore_above": 1024, + "type": "keyword" + }, + "clientip": { + "ignore_above": 1024, + "type": "keyword" + }, + "clustername": { + "ignore_above": 1024, + "type": "keyword" + }, + "connection_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "cookies": { + "ignore_above": 1024, + "type": "keyword" + }, + "core": { + "ignore_above": 1024, + "type": "keyword" + }, + "count": { + "type": "long" + }, + "countapp": { + "type": "long" + }, + "countav": { + "type": "long" + }, + "countcasb": { + "type": "long" + }, + "countcifs": { + "type": "long" + }, + "countdlp": { + "type": "long" + }, + "countdns": { + "type": "long" + }, + "countemail": { + "type": "long" + }, + "countff": { + "type": "long" + }, + "counticap": { + "type": "long" + }, + "countips": { + "type": "long" + }, + "countsctpf": { + "type": "long" + }, + "countssh": { + "type": "long" + }, + "countssl": { + "type": "long" + }, + "countwaf": { + "type": "long" + }, + "countweb": { + "type": "long" + }, + "cpaddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpaddr6": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpdladdr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpdladdr6": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpdlisraddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpdlisraddr6": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu": { + "type": "long" + }, + "cpuladdr": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpuladdr6": { + "ignore_above": 1024, + "type": "keyword" + }, + "craction": { + "type": "long" + }, + "criticalcount": { + "type": "long" + }, + "crlevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "crscore": { + "type": "long" + }, + "csgsn6": { + "ignore_above": 1024, + "type": "keyword" + }, + "deltabytes": { + "type": "long" + }, + "desc": { + "norms": false, + "type": "text" + }, + "detectionmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "devcategory": { + "ignore_above": 1024, + "type": "keyword" + }, + "devtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "disk": { + "type": "long" + }, + "disklograte": { + "type": "long" + }, + "dlpextra": { + "ignore_above": 1024, + "type": "keyword" + }, + "dlpfilteridx": { + "type": "long" + }, + "domainctrlauthstate": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlauthtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainctrlprotocoltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "domainfilteridx": { + "type": "long" + }, + "dstcountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "dsthwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstreputation": { + "ignore_above": 1024, + "type": "keyword" + }, + "dstserver": { + "type": "long" + }, + "dstuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "encryption": { + "ignore_above": 1024, + "type": "keyword" + }, + "end_usr_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "endusraddress6": { + "ignore_above": 1024, + "type": "keyword" + }, + "epoch": { + "type": "long" + }, + "fams_pause": { + "ignore_above": 1024, + "type": "keyword" + }, + "fazlograte": { + "type": "long" + }, + "fctemssn": { + "ignore_above": 1024, + "type": "keyword" + }, + "fctuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtercat": { + "ignore_above": 1024, + "type": "keyword" + }, + "filteridx": { + "type": "long" + }, + "filtername": { + "ignore_above": 1024, + "type": "keyword" + }, + "filtertype": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwardedfor": { + "ignore_above": 1024, + "type": "keyword" + }, + "freediskstorage": { + "type": "long" + }, + "from": { + "ignore_above": 1024, + "type": "keyword" + }, + "from4": { + "ignore_above": 1024, + "type": "keyword" + }, + "from6": { + "ignore_above": 1024, + "type": "keyword" + }, + "from_vcluster": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_group": { + "type": "long" + }, + "ha_prio": { + "ignore_above": 1024, + "type": "keyword" + }, + "ha_role": { + "ignore_above": 1024, + "type": "keyword" + }, + "handshake": { + "ignore_above": 1024, + "type": "keyword" + }, + "healthcheck": { + "ignore_above": 1024, + "type": "keyword" + }, + "highcount": { + "type": "long" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "httpmethod": { + "ignore_above": 1024, + "type": "keyword" + }, + "iccid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmpid": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "ietype": { + "ignore_above": 1024, + "type": "keyword" + }, + "imei": { + "ignore_above": 1024, + "type": "keyword" + }, + "imsi": { + "ignore_above": 1024, + "type": "keyword" + }, + "inbandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "incidentserialno": { + "type": "long" + }, + "infectedfilelevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "infectedfilesize": { + "type": "long" + }, + "init": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "jitter": { + "type": "long" + }, + "keysize": { + "type": "long" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "kxproto": { + "ignore_above": 1024, + "type": "keyword" + }, + "lanin": { + "type": "long" + }, + "lanout": { + "type": "long" + }, + "latency": { + "type": "long" + }, + "lease": { + "ignore_above": 1024, + "type": "keyword" + }, + "license_limit": { + "ignore_above": 1024, + "type": "keyword" + }, + "linked_nsapi": { + "ignore_above": 1024, + "type": "keyword" + }, + "live": { + "ignore_above": 1024, + "type": "keyword" + }, + "localdevcount": { + "type": "long" + }, + "login": { + "ignore_above": 1024, + "type": "keyword" + }, + "lowcount": { + "type": "long" + }, + "manuf": { + "ignore_above": 1024, + "type": "keyword" + }, + "masterdstmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mastersrcmac": { + "ignore_above": 1024, + "type": "keyword" + }, + "mediumcount": { + "type": "long" + }, + "mem": { + "type": "long" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "metric": { + "ignore_above": 1024, + "type": "keyword" + }, + "mitm": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "msg_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netid": { + "ignore_above": 1024, + "type": "keyword" + }, + "newchannel": { + "ignore_above": 1024, + "type": "keyword" + }, + "newslot": { + "ignore_above": 1024, + "type": "keyword" + }, + "newvalue": { + "ignore_above": 1024, + "type": "keyword" + }, + "nextstat": { + "ignore_above": 1024, + "type": "keyword" + }, + "noise": { + "ignore_above": 1024, + "type": "keyword" + }, + "nsapi": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocrlog": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldchannel": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldslot": { + "ignore_above": 1024, + "type": "keyword" + }, + "oldvalue": { + "ignore_above": 1024, + "type": "keyword" + }, + "onwire": { + "ignore_above": 1024, + "type": "keyword" + }, + "osname": { + "ignore_above": 1024, + "type": "keyword" + }, + "outbandwidth": { + "ignore_above": 1024, + "type": "keyword" + }, + "outintf": { + "ignore_above": 1024, + "type": "keyword" + }, + "packetloss": { + "ignore_above": 1024, + "type": "keyword" + }, + "passedcount": { + "type": "long" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_notif": { + "ignore_above": 1024, + "type": "keyword" + }, + "phonenumber": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "plan": { + "ignore_above": 1024, + "type": "keyword" + }, + "policymode": { + "ignore_above": 1024, + "type": "keyword" + }, + "policytype": { + "ignore_above": 1024, + "type": "keyword" + }, + "poluuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "prefetch": { + "type": "long" + }, + "processtime": { + "type": "long" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxyapptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "qtypeval": { + "type": "long" + }, + "quarskip": { + "ignore_above": 1024, + "type": "keyword" + }, + "quotamax": { + "type": "long" + }, + "quotaused": { + "type": "long" + }, + "radioband": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioidclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "radioiddetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdata": { + "ignore_above": 1024, + "type": "keyword" + }, + "rawdataid": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcode": { + "ignore_above": 1024, + "type": "keyword" + }, + "rcvddelta": { + "type": "long" + }, + "reqlength": { + "type": "long" + }, + "reqtime": { + "type": "long" + }, + "reqtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "respfinishtime": { + "type": "long" + }, + "resplength": { + "type": "long" + }, + "resptime": { + "type": "long" + }, + "resptype": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "rsptime": { + "type": "long" + }, + "rsrp": { + "ignore_above": 1024, + "type": "keyword" + }, + "rsrq": { + "ignore_above": 1024, + "type": "keyword" + }, + "rssi": { + "ignore_above": 1024, + "type": "keyword" + }, + "scantime": { + "type": "long" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "security": { + "ignore_above": 1024, + "type": "keyword" + }, + "sentdelta": { + "type": "long" + }, + "sentpkt": { + "type": "long" + }, + "seqnum": { + "type": "long" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "server": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sessionid": { + "ignore_above": 1024, + "type": "keyword" + }, + "setuprate": { + "type": "long" + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + }, + "signal": { + "ignore_above": 1024, + "type": "keyword" + }, + "signalstrength": { + "ignore_above": 1024, + "type": "keyword" + }, + "sinr": { + "ignore_above": 1024, + "type": "keyword" + }, + "ski": { + "ignore_above": 1024, + "type": "keyword" + }, + "slamap": { + "ignore_above": 1024, + "type": "keyword" + }, + "slatargetid": { + "ignore_above": 1024, + "type": "keyword" + }, + "slot": { + "type": "long" + }, + "sn": { + "ignore_above": 1024, + "type": "keyword" + }, + "snclosest": { + "ignore_above": 1024, + "type": "keyword" + }, + "sndetected": { + "ignore_above": 1024, + "type": "keyword" + }, + "srccountry": { + "ignore_above": 1024, + "type": "keyword" + }, + "srchwvendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcintfrole": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcname": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcreputation": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcserver": { + "type": "long" + }, + "srcswversion": { + "ignore_above": 1024, + "type": "keyword" + }, + "srcuuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssid": { + "ignore_above": 1024, + "type": "keyword" + }, + "stacount": { + "ignore_above": 1024, + "type": "keyword" + }, + "stage": { + "type": "long" + }, + "stamac": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "statuscode": { + "type": "long" + }, + "subtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "sysuptime": { + "type": "long" + }, + "temperature": { + "ignore_above": 1024, + "type": "keyword" + }, + "timeoutdelete": { + "type": "long" + }, + "timestamp": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "ignore_above": 1024, + "type": "keyword" + }, + "to4": { + "ignore_above": 1024, + "type": "keyword" + }, + "to6": { + "ignore_above": 1024, + "type": "keyword" + }, + "to_vcluster": { + "ignore_above": 1024, + "type": "keyword" + }, + "total": { + "type": "long" + }, + "totalsession": { + "type": "long" + }, + "trandisp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tranip": { + "ignore_above": 1024, + "type": "keyword" + }, + "tranport": { + "ignore_above": 1024, + "type": "keyword" + }, + "transid": { + "ignore_above": 1024, + "type": "keyword" + }, + "transip": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "trueclntip": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnel_idx": { + "type": "long" + }, + "tunnelid": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunnelip": { + "ignore_above": 1024, + "type": "keyword" + }, + "tunneltype": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "u_bytes": { + "type": "long" + }, + "u_ggsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "u_gsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "u_pkts": { + "type": "long" + }, + "u_sgsn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ufseidaddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "uggsn6": { + "ignore_above": 1024, + "type": "keyword" + }, + "ugsn6": { + "ignore_above": 1024, + "type": "keyword" + }, + "ui": { + "ignore_above": 1024, + "type": "keyword" + }, + "ulimcc": { + "ignore_above": 1024, + "type": "keyword" + }, + "ulimnc": { + "ignore_above": 1024, + "type": "keyword" + }, + "unauthusersource": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "urlfilteridx": { + "type": "long" + }, + "used": { + "type": "long" + }, + "used_for_type": { + "type": "long" + }, + "usgsn6": { + "ignore_above": 1024, + "type": "keyword" + }, + "utmaction": { + "ignore_above": 1024, + "type": "keyword" + }, + "utmref": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "valid": { + "type": "long" + }, + "vcluster": { + "type": "long" + }, + "vcluster_member": { + "type": "long" + }, + "vcluster_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "vd": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "violatescore": { + "type": "long" + }, + "virus": { + "ignore_above": 1024, + "type": "keyword" + }, + "virusid": { + "ignore_above": 1024, + "type": "keyword" + }, + "voip_proto": { + "ignore_above": 1024, + "type": "keyword" + }, + "vpntunnel": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlid": { + "ignore_above": 1024, + "type": "keyword" + }, + "vwlquality": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanin": { + "type": "long" + }, + "waninfo": { + "ignore_above": 1024, + "type": "keyword" + }, + "wanout": { + "type": "long" + }, + "wscode": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthgroup": { + "ignore_above": 1024, + "type": "keyword" + }, + "xauthuser": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "type": { + "type": "long" + } + }, + "type": "object" + }, + "igmp": { + "properties": { + "type": { + "type": "long" + } + }, + "type": "object" + }, + "input": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "iptables": { + "properties": { + "ether_type": { + "type": "long" + }, + "flow_label": { + "type": "long" + }, + "fragment_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_code": { + "type": "long" + }, + "icmp_seq": { + "type": "long" + }, + "icmp_type": { + "type": "long" + }, + "id": { + "type": "long" + }, + "input_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "mark": { + "type": "long" + }, + "output_device": { + "ignore_above": 1024, + "type": "keyword" + }, + "precedence_bits": { + "type": "long" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_reserved_bits": { + "type": "long" + }, + "tcp_window": { + "type": "long" + }, + "tos": { + "type": "long" + }, + "ttl": { + "type": "long" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "payload": { - "ignore_above": 1024, - "type": "keyword" - }, - "pfsense": { - "properties": { - "dhcp_subnet": { - "ignore_above": 1024, - "type": "keyword" - }, - "firewall_rule_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "icmp_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_id": { - "type": "long" - }, - "ip_offset": { - "type": "long" - }, - "ip_tos": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip_ttl": { - "type": "long" - }, - "tcp_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_length": { - "type": "long" - }, - "tcp_options": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp_seq": { - "type": "long" - }, - "tcp_window": { - "type": "long" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "state": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sonicwall": { - "properties": { - "firewall": { - "properties": { - "af_polid": { - "type": "long" - }, - "app": { - "type": "long" - }, - "app_cat": { - "ignore_above": 1024, - "type": "keyword" - }, - "app_id": { - "type": "long" - }, - "app_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_id": { - "type": "long" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "type": "long" - }, - "dpi": { - "type": "boolean" - }, - "event_group_category": { - "ignore_above": 1024, - "type": "keyword" - }, - "gcat": { - "type": "long" - }, - "ips_cat": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "sess": { - "ignore_above": 1024, - "type": "keyword" - }, - "tranx_id": { - "type": "long" - }, - "type": { - "type": "long" - }, - "user_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "payload": { + "ignore_above": 1024, + "type": "keyword" + }, + "pfsense": { + "properties": { + "dhcp_subnet": { + "ignore_above": 1024, + "type": "keyword" + }, + "firewall_rule_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "icmp_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_id": { + "type": "long" + }, + "ip_offset": { + "type": "long" + }, + "ip_tos": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip_ttl": { + "type": "long" + }, + "tcp_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_length": { + "type": "long" + }, + "tcp_options": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp_seq": { + "type": "long" + }, + "tcp_window": { + "type": "long" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sonicwall": { + "properties": { + "firewall": { + "properties": { + "af_polid": { + "type": "long" + }, + "app": { + "type": "long" + }, + "app_cat": { + "ignore_above": 1024, + "type": "keyword" + }, + "app_id": { + "type": "long" + }, + "app_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_id": { + "type": "long" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "type": "long" + }, + "dpi": { + "type": "boolean" + }, + "event_group_category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gcat": { + "type": "long" + }, + "ips_cat": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "sess": { + "ignore_above": 1024, + "type": "keyword" + }, + "tranx_id": { + "type": "long" + }, + "type": { + "type": "long" + }, + "user_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 4000, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-network-activity" } } diff --git a/plugins/setup/src/main/resources/templates/streams/other.json b/plugins/setup/src/main/resources/templates/streams/other.json index a5bbc1ac..19e461e8 100644 --- a/plugins/setup/src/main/resources/templates/streams/other.json +++ b/plugins/setup/src/main/resources/templates/streams/other.json @@ -1,8300 +1,8303 @@ { "index_patterns": [ - "wazuh-events-v5-other-*" + "wazuh-events-v5-other*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-other" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "write": { + "properties": { + "bytes": { + "type": "long" + } } } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" } } } }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } - } - } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "role": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 2500, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-other" } } diff --git a/plugins/setup/src/main/resources/templates/streams/security.json b/plugins/setup/src/main/resources/templates/streams/security.json index cf789ad5..bbb004df 100644 --- a/plugins/setup/src/main/resources/templates/streams/security.json +++ b/plugins/setup/src/main/resources/templates/streams/security.json @@ -1,10262 +1,10265 @@ { "index_patterns": [ - "wazuh-events-v5-security-*" + "wazuh-events-v5-security*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 3000, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-security" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "type": "object" } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "modsecurity": { - "properties": { - "audit_data_details": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_data_messages": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_data_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_messages_details": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_messages_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_producer_connector": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_response_headers_Server": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "modsecurity": { + "properties": { + "audit_data_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_data_messages": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_data_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_messages_details": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_messages_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_producer_connector": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_response_headers_Server": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "snort": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "dgm": { - "properties": { - "length": { - "type": "long" - } - } - }, - "eth": { - "properties": { - "length": { - "type": "long" - } - } - }, - "gid": { - "type": "long" - }, - "icmp": { - "properties": { - "code": { - "type": "long" - }, - "id": { - "type": "long" - }, - "seq": { - "type": "long" - }, - "type": { - "type": "long" - } - } - }, - "ip": { - "properties": { - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "type": "long" - }, - "length": { - "type": "long" - }, - "tos": { - "type": "long" - }, - "ttl": { - "type": "long" - } - } - }, - "sid": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcp": { - "properties": { - "ack": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "length": { - "type": "long" - }, - "seq": { - "type": "long" - }, - "window": { - "type": "long" - } - } - }, - "udp": { - "properties": { - "length": { - "type": "long" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "suricata": { - "properties": { - "alert": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "type": "long" - }, - "metadata": { - "properties": { - "attack_target": { - "ignore_above": 1024, - "type": "keyword" - }, - "capec_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "created_at": { - "type": "date" - }, - "cve": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v2_base": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v2_temporal": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v3_base": { - "ignore_above": 1024, - "type": "keyword" - }, - "cvss_v3_temporal": { - "ignore_above": 1024, - "type": "keyword" - }, - "cwe_id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "rev": { - "type": "long" - }, - "signature": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_id": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "id": { - "type": "long" - }, - "rrname": { - "ignore_above": 1024, - "type": "keyword" - }, - "rrtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "tx_id": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "fileinfo": { - "properties": { - "gaps": { - "type": "boolean" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "stored": { - "type": "boolean" - }, - "tx_id": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "age": { - "type": "long" - }, - "alerted": { - "type": "boolean" - }, - "end": { - "type": "date" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "flow_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "http": { - "properties": { - "http_content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_port": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "in_iface": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh": { - "properties": { - "client": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "server": { - "properties": { - "proto_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } } - } - }, - "stats": { - "properties": { - "app_layer": { - "properties": { - "flow": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "failed_tcp": { - "type": "long" - }, - "failed_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "imap": { - "type": "long" - }, - "msn": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } - } - }, - "tx": { - "properties": { - "dcerpc_tcp": { - "type": "long" - }, - "dcerpc_udp": { - "type": "long" - }, - "dns_tcp": { - "type": "long" - }, - "dns_udp": { - "type": "long" - }, - "ftp": { - "type": "long" - }, - "http": { - "type": "long" - }, - "smb": { - "type": "long" - }, - "smtp": { - "type": "long" - }, - "ssh": { - "type": "long" - }, - "tls": { - "type": "long" - } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "capture": { - "properties": { - "kernel_drops": { - "type": "long" - }, - "kernel_ifdrops": { - "type": "long" - }, - "kernel_packets": { - "type": "long" - } - } - }, - "decoder": { - "properties": { - "avg_pkt_size": { - "type": "long" - }, - "bytes": { - "type": "long" - }, - "dce": { - "properties": { - "pkt_too_small": { - "type": "long" - } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "erspan": { - "type": "long" - }, - "ethernet": { - "type": "long" - }, - "gre": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "ieee8021ah": { - "type": "long" - }, - "invalid": { - "type": "long" - }, - "ipraw": { - "properties": { - "invalid_ip_version": { - "type": "long" - } + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } }, - "ipv4": { - "type": "long" - }, - "ipv4_in_ipv6": { - "type": "long" - }, - "ipv6": { - "type": "long" - }, - "ipv6_in_ipv6": { - "type": "long" - }, - "ltnull": { - "properties": { - "pkt_too_small": { - "type": "long" - }, - "unsupported_type": { - "type": "long" - } - } - }, - "max_pkt_size": { - "type": "long" - }, - "mpls": { - "type": "long" - }, - "null": { - "type": "long" - }, - "pkts": { - "type": "long" - }, - "ppp": { - "type": "long" - }, - "pppoe": { - "type": "long" - }, - "raw": { - "type": "long" - }, - "sctp": { - "type": "long" - }, - "sll": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "teredo": { - "type": "long" - }, - "udp": { - "type": "long" - }, - "vlan": { - "type": "long" - }, - "vlan_qinq": { - "type": "long" - } + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" } - }, - "defrag": { - "properties": { - "ipv4": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "fragments": { - "type": "long" - }, - "reassembled": { - "type": "long" - }, - "timeouts": { - "type": "long" - } - } - }, - "max_frag_hits": { - "type": "long" - } - } - }, - "detect": { - "properties": { - "alert": { - "type": "long" - } - } - }, - "dns": { - "properties": { - "memcap_global": { - "type": "long" - }, - "memcap_state": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "file_store": { - "properties": { - "open_files": { - "type": "long" - } - } - }, - "flow": { - "properties": { - "emerg_mode_entered": { - "type": "long" - }, - "emerg_mode_over": { - "type": "long" - }, - "icmpv4": { - "type": "long" - }, - "icmpv6": { - "type": "long" - }, - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "spare": { - "type": "long" - }, - "tcp": { - "type": "long" - }, - "tcp_reuse": { - "type": "long" - }, - "udp": { - "type": "long" - } - } - }, - "flow_mgr": { - "properties": { - "bypassed_pruned": { - "type": "long" - }, - "closed_pruned": { - "type": "long" - }, - "est_pruned": { - "type": "long" - }, - "flows_checked": { - "type": "long" - }, - "flows_notimeout": { - "type": "long" - }, - "flows_removed": { - "type": "long" - }, - "flows_timeout": { - "type": "long" - }, - "flows_timeout_inuse": { - "type": "long" - }, - "new_pruned": { - "type": "long" - }, - "rows_busy": { - "type": "long" - }, - "rows_checked": { - "type": "long" - }, - "rows_empty": { - "type": "long" - }, - "rows_maxlen": { - "type": "long" - }, - "rows_skipped": { - "type": "long" - } - } - }, - "http": { - "properties": { - "memcap": { - "type": "long" - }, - "memuse": { - "type": "long" - } - } - }, - "tcp": { - "properties": { - "insert_data_normal_fail": { - "type": "long" - }, - "insert_data_overlap_fail": { - "type": "long" - }, - "insert_list_fail": { - "type": "long" - }, - "invalid_checksum": { - "type": "long" - }, - "memuse": { - "type": "long" - }, - "no_flow": { - "type": "long" - }, - "overlap": { - "type": "long" - }, - "overlap_diff_data": { - "type": "long" - }, - "pseudo": { - "type": "long" - }, - "pseudo_failed": { - "type": "long" - }, - "reassembly_gap": { - "type": "long" - }, - "reassembly_memuse": { - "type": "long" - }, - "rst": { - "type": "long" - }, - "segment_memcap_drop": { - "type": "long" - }, - "sessions": { - "type": "long" - }, - "ssn_memcap_drop": { - "type": "long" - }, - "stream_depth_reached": { - "type": "long" - }, - "syn": { - "type": "long" - }, - "synack": { - "type": "long" - } - } - }, - "uptime": { - "type": "long" } - } - }, - "tls": { - "properties": { - "fingerprint": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuerdn": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "ja3s": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "string": { - "ignore_above": 1024, - "type": "keyword" + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "notafter": { - "type": "date" - }, - "notbefore": { - "type": "date" - }, - "serial": { - "ignore_above": 1024, - "type": "keyword" - }, - "session_resumed": { - "type": "boolean" - }, - "sni": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tx_id": { - "type": "long" - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "snort": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "dgm": { + "properties": { + "length": { + "type": "long" + } + } + }, + "eth": { + "properties": { + "length": { + "type": "long" + } + } + }, + "gid": { + "type": "long" + }, + "icmp": { + "properties": { + "code": { + "type": "long" + }, + "id": { + "type": "long" + }, + "seq": { + "type": "long" + }, + "type": { + "type": "long" + } + } + }, + "ip": { + "properties": { + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "type": "long" + }, + "length": { + "type": "long" + }, + "tos": { + "type": "long" + }, + "ttl": { + "type": "long" + } + } + }, + "sid": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcp": { + "properties": { + "ack": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "length": { + "type": "long" + }, + "seq": { + "type": "long" + }, + "window": { + "type": "long" + } + } + }, + "udp": { + "properties": { + "length": { + "type": "long" + } + } + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "suricata": { + "properties": { + "alert": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "type": "long" + }, + "metadata": { + "properties": { + "attack_target": { + "ignore_above": 1024, + "type": "keyword" + }, + "capec_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "created_at": { + "type": "date" + }, + "cve": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v2_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_base": { + "ignore_above": 1024, + "type": "keyword" + }, + "cvss_v3_temporal": { + "ignore_above": 1024, + "type": "keyword" + }, + "cwe_id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rev": { + "type": "long" + }, + "signature": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_id": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "id": { + "type": "long" + }, + "rrname": { + "ignore_above": 1024, + "type": "keyword" + }, + "rrtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "tx_id": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "fileinfo": { + "properties": { + "gaps": { + "type": "boolean" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "stored": { + "type": "boolean" + }, + "tx_id": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "age": { + "type": "long" + }, + "alerted": { + "type": "boolean" + }, + "end": { + "type": "date" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "flow_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "http": { + "properties": { + "http_content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_port": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "in_iface": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh": { + "properties": { + "client": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "proto_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "stats": { + "properties": { + "app_layer": { + "properties": { + "flow": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "failed_tcp": { + "type": "long" + }, + "failed_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "imap": { + "type": "long" + }, + "msn": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + }, + "tx": { + "properties": { + "dcerpc_tcp": { + "type": "long" + }, + "dcerpc_udp": { + "type": "long" + }, + "dns_tcp": { + "type": "long" + }, + "dns_udp": { + "type": "long" + }, + "ftp": { + "type": "long" + }, + "http": { + "type": "long" + }, + "smb": { + "type": "long" + }, + "smtp": { + "type": "long" + }, + "ssh": { + "type": "long" + }, + "tls": { + "type": "long" + } + } + } + } + }, + "capture": { + "properties": { + "kernel_drops": { + "type": "long" + }, + "kernel_ifdrops": { + "type": "long" + }, + "kernel_packets": { + "type": "long" + } + } + }, + "decoder": { + "properties": { + "avg_pkt_size": { + "type": "long" + }, + "bytes": { + "type": "long" + }, + "dce": { + "properties": { + "pkt_too_small": { + "type": "long" + } + } + }, + "erspan": { + "type": "long" + }, + "ethernet": { + "type": "long" + }, + "gre": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "ieee8021ah": { + "type": "long" + }, + "invalid": { + "type": "long" + }, + "ipraw": { + "properties": { + "invalid_ip_version": { + "type": "long" + } + } + }, + "ipv4": { + "type": "long" + }, + "ipv4_in_ipv6": { + "type": "long" + }, + "ipv6": { + "type": "long" + }, + "ipv6_in_ipv6": { + "type": "long" + }, + "ltnull": { + "properties": { + "pkt_too_small": { + "type": "long" + }, + "unsupported_type": { + "type": "long" + } + } + }, + "max_pkt_size": { + "type": "long" + }, + "mpls": { + "type": "long" + }, + "null": { + "type": "long" + }, + "pkts": { + "type": "long" + }, + "ppp": { + "type": "long" + }, + "pppoe": { + "type": "long" + }, + "raw": { + "type": "long" + }, + "sctp": { + "type": "long" + }, + "sll": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "teredo": { + "type": "long" + }, + "udp": { + "type": "long" + }, + "vlan": { + "type": "long" + }, + "vlan_qinq": { + "type": "long" + } + } + }, + "defrag": { + "properties": { + "ipv4": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "ipv6": { + "properties": { + "fragments": { + "type": "long" + }, + "reassembled": { + "type": "long" + }, + "timeouts": { + "type": "long" + } + } + }, + "max_frag_hits": { + "type": "long" + } + } + }, + "detect": { + "properties": { + "alert": { + "type": "long" + } + } + }, + "dns": { + "properties": { + "memcap_global": { + "type": "long" + }, + "memcap_state": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "file_store": { + "properties": { + "open_files": { + "type": "long" + } + } + }, + "flow": { + "properties": { + "emerg_mode_entered": { + "type": "long" + }, + "emerg_mode_over": { + "type": "long" + }, + "icmpv4": { + "type": "long" + }, + "icmpv6": { + "type": "long" + }, + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "spare": { + "type": "long" + }, + "tcp": { + "type": "long" + }, + "tcp_reuse": { + "type": "long" + }, + "udp": { + "type": "long" + } + } + }, + "flow_mgr": { + "properties": { + "bypassed_pruned": { + "type": "long" + }, + "closed_pruned": { + "type": "long" + }, + "est_pruned": { + "type": "long" + }, + "flows_checked": { + "type": "long" + }, + "flows_notimeout": { + "type": "long" + }, + "flows_removed": { + "type": "long" + }, + "flows_timeout": { + "type": "long" + }, + "flows_timeout_inuse": { + "type": "long" + }, + "new_pruned": { + "type": "long" + }, + "rows_busy": { + "type": "long" + }, + "rows_checked": { + "type": "long" + }, + "rows_empty": { + "type": "long" + }, + "rows_maxlen": { + "type": "long" + }, + "rows_skipped": { + "type": "long" + } + } + }, + "http": { + "properties": { + "memcap": { + "type": "long" + }, + "memuse": { + "type": "long" + } + } + }, + "tcp": { + "properties": { + "insert_data_normal_fail": { + "type": "long" + }, + "insert_data_overlap_fail": { + "type": "long" + }, + "insert_list_fail": { + "type": "long" + }, + "invalid_checksum": { + "type": "long" + }, + "memuse": { + "type": "long" + }, + "no_flow": { + "type": "long" + }, + "overlap": { + "type": "long" + }, + "overlap_diff_data": { + "type": "long" + }, + "pseudo": { + "type": "long" + }, + "pseudo_failed": { + "type": "long" + }, + "reassembly_gap": { + "type": "long" + }, + "reassembly_memuse": { + "type": "long" + }, + "rst": { + "type": "long" + }, + "segment_memcap_drop": { + "type": "long" + }, + "sessions": { + "type": "long" + }, + "ssn_memcap_drop": { + "type": "long" + }, + "stream_depth_reached": { + "type": "long" + }, + "syn": { + "type": "long" + }, + "synack": { + "type": "long" + } + } + }, + "uptime": { + "type": "long" + } + } + }, + "tls": { + "properties": { + "fingerprint": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuerdn": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ja3s": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "notafter": { + "type": "date" + }, + "notbefore": { + "type": "date" + }, + "serial": { + "ignore_above": 1024, + "type": "keyword" + }, + "session_resumed": { + "type": "boolean" + }, + "sni": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tx_id": { + "type": "long" + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } } } } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } } } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "zeek": { - "properties": { - "capture_loss_acks": { - "type": "long" - }, - "capture_loss_gaps": { - "type": "long" - }, - "capture_loss_peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "capture_loss_percent_lost": { - "type": "long" - }, - "capture_loss_ts_delta": { - "type": "long" - }, - "conn_history": { - "ignore_above": 1024, - "type": "keyword" - }, - "conn_icmp_code": { - "type": "long" - }, - "conn_icmp_type": { - "type": "long" - }, - "conn_local_orig": { - "type": "boolean" - }, - "conn_local_resp": { - "type": "boolean" - }, - "conn_missed_bytes": { - "type": "long" - }, - "conn_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "conn_state_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "dce_rpc_endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "dce_rpc_named_pipe": { - "ignore_above": 1024, - "type": "keyword" - }, - "dce_rpc_operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "dce_rpc_rtt": { - "type": "long" - }, - "dhcp_agent_remote_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_assigned_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_circuit_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_client_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_client_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_client_software": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_duration": { - "type": "long" - }, - "dhcp_host_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_lease_time": { - "type": "long" - }, - "dhcp_mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_msg_orig": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_msg_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_requested_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_server_addr": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_server_message": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_server_software": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_subscriber_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp_uids": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnp3_fc_reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnp3_fc_request": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnp3_iin": { - "type": "long" - }, - "dns_TTLs": { - "type": "long" - }, - "dns_answers": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_qclass": { - "type": "long" - }, - "dns_qclass_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_qtype": { - "type": "long" - }, - "dns_qtype_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_query": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_rcode": { - "type": "long" - }, - "dns_rcode_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_rejected": { - "type": "boolean" - }, - "dns_rtt": { - "type": "long" - }, - "dns_trans_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dpd_analyzer": { - "ignore_above": 1024, - "type": "keyword" - }, - "dpd_failure_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "files_analyzers": { - "ignore_above": 1024, - "type": "keyword" - }, - "files_depth": { - "type": "long" - }, - "files_duration": { - "type": "long" - }, - "files_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "files_is_orig": { - "type": "boolean" - }, - "files_local_orig": { - "type": "boolean" - }, - "files_missing_bytes": { - "type": "long" - }, - "files_overflow_bytes": { - "type": "long" - }, - "files_rx_host": { - "type": "ip" - }, - "files_seen_bytes": { - "type": "long" - }, - "files_source": { - "ignore_above": 1024, - "type": "keyword" - }, - "files_timedout": { - "type": "boolean" - }, - "files_tx_host": { - "type": "ip" - }, - "ftp_arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "ftp_data_channel_orig_h": { - "type": "ip" - }, - "ftp_data_channel_passive": { - "type": "boolean" - }, - "ftp_data_channel_resp_h": { - "type": "ip" - }, - "ftp_data_channel_resp_p": { - "type": "long" - }, - "ftp_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ftp_password": { - "ignore_above": 1024, - "type": "keyword" - }, - "ftp_reply_code": { - "type": "long" - }, - "ftp_reply_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_resp_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_resp_mime_types": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_status_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_tags": { - "ignore_above": 1024, - "type": "keyword" - }, - "http_trans_depth": { - "type": "long" - }, - "intel_matched": { - "ignore_above": 1024, - "type": "keyword" - }, - "intel_seen_indicator": { - "ignore_above": 1024, - "type": "keyword" - }, - "intel_seen_indicator_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "intel_seen_node": { - "ignore_above": 1024, - "type": "keyword" - }, - "intel_seen_where": { - "ignore_above": 1024, - "type": "keyword" - }, - "intel_sources": { - "ignore_above": 1024, - "type": "keyword" - }, - "irc_addl": { - "ignore_above": 1024, - "type": "keyword" - }, - "irc_nick": { - "ignore_above": 1024, - "type": "keyword" - }, - "irc_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_auth_ticket": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_cert_client_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_cert_client_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_cert_server_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_cert_server_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_cert_server_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_error_code": { - "type": "long" - }, - "kerberos_error_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_forwardable": { - "type": "boolean" - }, - "kerberos_from": { - "type": "date" - }, - "kerberos_new_ticket": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_renewable": { - "type": "boolean" - }, - "kerberos_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "kerberos_success": { - "type": "boolean" - }, - "kerberos_till": { - "ignore_above": 1024, - "type": "keyword" - }, - "mysql_arg": { - "ignore_above": 1024, - "type": "keyword" - }, - "mysql_response": { - "ignore_above": 1024, - "type": "keyword" - }, - "mysql_rows": { - "type": "long" - }, - "mysql_success": { - "type": "boolean" - }, - "notice_actions": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice_dropped": { - "type": "boolean" - }, - "notice_fuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice_note": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice_peer_descr": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice_sub": { - "ignore_above": 1024, - "type": "keyword" - }, - "notice_suppress_for": { - "type": "long" - }, - "ntlm_hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ntlm_server_dns_computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ntlm_server_nb_computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ntlm_server_tree_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ntp_mode": { - "type": "long" - }, - "ntp_num_exts": { - "type": "long" - }, - "ntp_org_time": { - "type": "date" - }, - "ntp_poll": { - "type": "long" - }, - "ntp_precision": { - "type": "long" - }, - "ntp_rec_time": { - "type": "date" - }, - "ntp_ref_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ntp_ref_time": { - "type": "date" - }, - "ntp_root_delay": { - "type": "float" - }, - "ntp_root_disp": { - "type": "float" - }, - "ntp_stratum": { - "type": "long" - }, - "ntp_version": { - "type": "long" - }, - "ntp_xmt_time": { - "type": "date" - }, - "ocsp_cert_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_hash_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_issuer_key_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_issuer_name_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_next_update": { - "type": "date" - }, - "ocsp_revokereason": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_revoketime": { - "type": "date" - }, - "ocsp_serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "ocsp_this_update": { - "type": "date" - }, - "pe_compile_ts": { - "type": "date" - }, - "pe_has_cert_table": { - "type": "boolean" - }, - "pe_has_debug_data": { - "type": "boolean" - }, - "pe_has_export_table": { - "type": "boolean" - }, - "pe_has_import_table": { - "type": "boolean" - }, - "pe_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe_is_64bit": { - "type": "boolean" - }, - "pe_is_exe": { - "type": "boolean" - }, - "pe_machine": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe_os": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe_section_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe_subsystem": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe_uses_aslr": { - "type": "boolean" - }, - "pe_uses_code_integrity": { - "type": "boolean" - }, - "pe_uses_dep": { - "type": "boolean" - }, - "pe_uses_seh": { - "type": "boolean" - }, - "radius_mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_cert_count": { - "type": "long" - }, - "rdp_cert_permanent": { - "type": "boolean" - }, - "rdp_cert_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_client_build": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_client_dig_product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_client_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_desktop_height": { - "type": "long" - }, - "rdp_desktop_width": { - "type": "long" - }, - "rdp_encryption_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_encryption_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_requested_color_depth": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdp_security_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_auth": { - "type": "boolean" - }, - "rfb_authentication_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_client_major_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_client_minor_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_desktop_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_height": { - "type": "long" - }, - "rfb_server_major_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_server_minor_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "rfb_share_flag": { - "type": "boolean" - }, - "rfb_width": { - "type": "long" - }, - "signature_event_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_note": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_sig_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_sub_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_call_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_request_body_len": { - "type": "long" - }, - "sip_request_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_request_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_request_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_response_body_len": { - "type": "long" - }, - "sip_response_from": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_response_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_response_to": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_seq": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_status_code": { - "type": "long" - }, - "sip_status_msg": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip_trans_depth": { - "type": "long" - }, - "smb_cmd_argument": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_referenced_file_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_referenced_file_id_orig_h": { - "type": "ip" - }, - "smb_cmd_referenced_file_id_resp_h": { - "type": "ip" - }, - "smb_cmd_referenced_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_referenced_file_ts": { - "type": "date" - }, - "smb_cmd_referenced_file_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_rtt": { - "type": "long" - }, - "smb_cmd_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_tree": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_tree_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_cmd_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_mapping_native_file_system": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_mapping_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_mapping_service": { - "ignore_above": 1024, - "type": "keyword" - }, - "smb_mapping_share_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_date": { - "type": "date" - }, - "smtp_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_helo": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_is_webmail": { - "type": "boolean" - }, - "smtp_last_reply": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_mailfrom": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_msg_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_rcptto": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "smtp_trans_depth": { - "type": "long" - }, - "smtp_user_agent": { - "ignore_above": 1024, - "type": "keyword" - }, - "snmp_duration": { - "type": "long" - }, - "snmp_get_bulk_requests": { - "type": "long" - }, - "snmp_get_requests": { - "type": "long" - }, - "snmp_get_responses": { - "type": "long" - }, - "snmp_set_requests": { - "type": "long" - }, - "snmp_up_since": { - "type": "date" - }, - "snmp_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "socks_bound_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "socks_bound_p": { - "type": "long" - }, - "socks_request_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "socks_request_p": { - "ignore_above": 1024, - "type": "keyword" - }, - "socks_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "socks_version": { - "type": "long" - }, - "software_host": { - "type": "ip" - }, - "software_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_unparsed_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version_addl": { - "ignore_above": 1024, - "type": "keyword" - }, - "software_version_major": { - "type": "long" - }, - "software_version_minor": { - "type": "long" - }, - "software_version_minor2": { - "type": "long" - }, - "software_version_minor3": { - "type": "long" - }, - "ssh_auth_attempts": { - "type": "long" - }, - "ssh_auth_success": { - "type": "boolean" - }, - "ssh_cipher_alg": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_client": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_compression_alg": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_host_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_host_key_alg": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_kex_alg": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_mac_alg": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssh_version": { - "type": "long" - }, - "ssl_cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_client_cert_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_client_cert_chain_fuids": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_client_issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_client_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_validation_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_validation_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssl_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "stats_active_dns_requests": { - "type": "long" - }, - "stats_active_files": { - "type": "long" - }, - "stats_active_icmp_conns": { - "type": "long" - }, - "stats_active_tcp_conns": { - "type": "long" - }, - "stats_active_timers": { - "type": "long" - }, - "stats_active_udp_conns": { - "type": "long" - }, - "stats_bytes_recv": { - "type": "long" - }, - "stats_dns_requests": { - "type": "long" - }, - "stats_event_proc": { - "type": "long" - }, - "stats_event_queued": { - "type": "long" - }, - "stats_files": { - "type": "long" - }, - "stats_icmp_conns": { - "type": "long" - }, - "stats_mem": { - "type": "long" - }, - "stats_peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "stats_pkt_lag": { - "type": "float" - }, - "stats_pkts_dropped": { - "type": "long" - }, - "stats_pkts_link": { - "type": "long" - }, - "stats_pkts_proc": { - "type": "long" - }, - "stats_reassem_file_size": { - "type": "long" - }, - "stats_reassem_frag_size": { - "type": "long" - }, - "stats_reassem_tcp_size": { - "type": "long" - }, - "stats_reassem_unknown_size": { - "type": "long" - }, - "stats_tcp_conns": { - "type": "long" - }, - "stats_timers": { - "type": "long" - }, - "stats_udp_conns": { - "type": "long" - }, - "tunnel_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "weird_addl": { - "ignore_above": 1024, - "type": "keyword" - }, - "weird_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "weird_notice": { - "type": "boolean" - }, - "weird_peer": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509_basic_constraints_ca": { - "type": "boolean" - }, - "x509_basic_constraints_path_len": { - "type": "long" - }, - "x509_certificate_issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509_certificate_key_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509_certificate_subject": { - "ignore_above": 1024, - "type": "keyword" + }, + "zeek": { + "properties": { + "capture_loss_acks": { + "type": "long" + }, + "capture_loss_gaps": { + "type": "long" + }, + "capture_loss_peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "capture_loss_percent_lost": { + "type": "long" + }, + "capture_loss_ts_delta": { + "type": "long" + }, + "conn_history": { + "ignore_above": 1024, + "type": "keyword" + }, + "conn_icmp_code": { + "type": "long" + }, + "conn_icmp_type": { + "type": "long" + }, + "conn_local_orig": { + "type": "boolean" + }, + "conn_local_resp": { + "type": "boolean" + }, + "conn_missed_bytes": { + "type": "long" + }, + "conn_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "conn_state_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce_rpc_endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce_rpc_named_pipe": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce_rpc_operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "dce_rpc_rtt": { + "type": "long" + }, + "dhcp_agent_remote_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_assigned_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_circuit_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_client_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_client_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_client_software": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_duration": { + "type": "long" + }, + "dhcp_host_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_lease_time": { + "type": "long" + }, + "dhcp_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg_orig": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_msg_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_requested_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_server_addr": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_server_message": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_server_software": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_subscriber_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp_uids": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnp3_fc_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnp3_fc_request": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnp3_iin": { + "type": "long" + }, + "dns_TTLs": { + "type": "long" + }, + "dns_answers": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_qclass": { + "type": "long" + }, + "dns_qclass_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_qtype": { + "type": "long" + }, + "dns_qtype_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_query": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_rcode": { + "type": "long" + }, + "dns_rcode_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_rejected": { + "type": "boolean" + }, + "dns_rtt": { + "type": "long" + }, + "dns_trans_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dpd_analyzer": { + "ignore_above": 1024, + "type": "keyword" + }, + "dpd_failure_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_analyzers": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_depth": { + "type": "long" + }, + "files_duration": { + "type": "long" + }, + "files_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_is_orig": { + "type": "boolean" + }, + "files_local_orig": { + "type": "boolean" + }, + "files_missing_bytes": { + "type": "long" + }, + "files_overflow_bytes": { + "type": "long" + }, + "files_rx_host": { + "type": "ip" + }, + "files_seen_bytes": { + "type": "long" + }, + "files_source": { + "ignore_above": 1024, + "type": "keyword" + }, + "files_timedout": { + "type": "boolean" + }, + "files_tx_host": { + "type": "ip" + }, + "ftp_arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_data_channel_orig_h": { + "type": "ip" + }, + "ftp_data_channel_passive": { + "type": "boolean" + }, + "ftp_data_channel_resp_h": { + "type": "ip" + }, + "ftp_data_channel_resp_p": { + "type": "long" + }, + "ftp_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_password": { + "ignore_above": 1024, + "type": "keyword" + }, + "ftp_reply_code": { + "type": "long" + }, + "ftp_reply_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_resp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_resp_mime_types": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "http_trans_depth": { + "type": "long" + }, + "intel_matched": { + "ignore_above": 1024, + "type": "keyword" + }, + "intel_seen_indicator": { + "ignore_above": 1024, + "type": "keyword" + }, + "intel_seen_indicator_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "intel_seen_node": { + "ignore_above": 1024, + "type": "keyword" + }, + "intel_seen_where": { + "ignore_above": 1024, + "type": "keyword" + }, + "intel_sources": { + "ignore_above": 1024, + "type": "keyword" + }, + "irc_addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "irc_nick": { + "ignore_above": 1024, + "type": "keyword" + }, + "irc_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_auth_ticket": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_cert_client_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_cert_client_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_cert_server_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_cert_server_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_cert_server_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_error_code": { + "type": "long" + }, + "kerberos_error_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_forwardable": { + "type": "boolean" + }, + "kerberos_from": { + "type": "date" + }, + "kerberos_new_ticket": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_renewable": { + "type": "boolean" + }, + "kerberos_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "kerberos_success": { + "type": "boolean" + }, + "kerberos_till": { + "ignore_above": 1024, + "type": "keyword" + }, + "mysql_arg": { + "ignore_above": 1024, + "type": "keyword" + }, + "mysql_response": { + "ignore_above": 1024, + "type": "keyword" + }, + "mysql_rows": { + "type": "long" + }, + "mysql_success": { + "type": "boolean" + }, + "notice_actions": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice_dropped": { + "type": "boolean" + }, + "notice_fuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice_note": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice_peer_descr": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice_sub": { + "ignore_above": 1024, + "type": "keyword" + }, + "notice_suppress_for": { + "type": "long" + }, + "ntlm_hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntlm_server_dns_computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntlm_server_nb_computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntlm_server_tree_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntp_mode": { + "type": "long" + }, + "ntp_num_exts": { + "type": "long" + }, + "ntp_org_time": { + "type": "date" + }, + "ntp_poll": { + "type": "long" + }, + "ntp_precision": { + "type": "long" + }, + "ntp_rec_time": { + "type": "date" + }, + "ntp_ref_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ntp_ref_time": { + "type": "date" + }, + "ntp_root_delay": { + "type": "float" + }, + "ntp_root_disp": { + "type": "float" + }, + "ntp_stratum": { + "type": "long" + }, + "ntp_version": { + "type": "long" + }, + "ntp_xmt_time": { + "type": "date" + }, + "ocsp_cert_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_issuer_key_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_issuer_name_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_next_update": { + "type": "date" + }, + "ocsp_revokereason": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_revoketime": { + "type": "date" + }, + "ocsp_serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "ocsp_this_update": { + "type": "date" + }, + "pe_compile_ts": { + "type": "date" + }, + "pe_has_cert_table": { + "type": "boolean" + }, + "pe_has_debug_data": { + "type": "boolean" + }, + "pe_has_export_table": { + "type": "boolean" + }, + "pe_has_import_table": { + "type": "boolean" + }, + "pe_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_is_64bit": { + "type": "boolean" + }, + "pe_is_exe": { + "type": "boolean" + }, + "pe_machine": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_os": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_section_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_subsystem": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe_uses_aslr": { + "type": "boolean" + }, + "pe_uses_code_integrity": { + "type": "boolean" + }, + "pe_uses_dep": { + "type": "boolean" + }, + "pe_uses_seh": { + "type": "boolean" + }, + "radius_mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_cert_count": { + "type": "long" + }, + "rdp_cert_permanent": { + "type": "boolean" + }, + "rdp_cert_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_client_build": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_client_dig_product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_client_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_desktop_height": { + "type": "long" + }, + "rdp_desktop_width": { + "type": "long" + }, + "rdp_encryption_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_encryption_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_requested_color_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdp_security_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_auth": { + "type": "boolean" + }, + "rfb_authentication_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_client_major_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_client_minor_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_desktop_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_height": { + "type": "long" + }, + "rfb_server_major_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_server_minor_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "rfb_share_flag": { + "type": "boolean" + }, + "rfb_width": { + "type": "long" + }, + "signature_event_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_note": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_sig_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_sub_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_call_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_request_body_len": { + "type": "long" + }, + "sip_request_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_request_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_request_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_response_body_len": { + "type": "long" + }, + "sip_response_from": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_response_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_response_to": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_seq": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_status_code": { + "type": "long" + }, + "sip_status_msg": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip_trans_depth": { + "type": "long" + }, + "smb_cmd_argument": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_referenced_file_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_referenced_file_id_orig_h": { + "type": "ip" + }, + "smb_cmd_referenced_file_id_resp_h": { + "type": "ip" + }, + "smb_cmd_referenced_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_referenced_file_ts": { + "type": "date" + }, + "smb_cmd_referenced_file_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_rtt": { + "type": "long" + }, + "smb_cmd_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_tree": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_tree_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_cmd_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_mapping_native_file_system": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_mapping_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_mapping_service": { + "ignore_above": 1024, + "type": "keyword" + }, + "smb_mapping_share_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_date": { + "type": "date" + }, + "smtp_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_helo": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_is_webmail": { + "type": "boolean" + }, + "smtp_last_reply": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_mailfrom": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_msg_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_rcptto": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "smtp_trans_depth": { + "type": "long" + }, + "smtp_user_agent": { + "ignore_above": 1024, + "type": "keyword" + }, + "snmp_duration": { + "type": "long" + }, + "snmp_get_bulk_requests": { + "type": "long" + }, + "snmp_get_requests": { + "type": "long" + }, + "snmp_get_responses": { + "type": "long" + }, + "snmp_set_requests": { + "type": "long" + }, + "snmp_up_since": { + "type": "date" + }, + "snmp_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "socks_bound_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "socks_bound_p": { + "type": "long" + }, + "socks_request_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "socks_request_p": { + "ignore_above": 1024, + "type": "keyword" + }, + "socks_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "socks_version": { + "type": "long" + }, + "software_host": { + "type": "ip" + }, + "software_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_unparsed_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version_addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "software_version_major": { + "type": "long" + }, + "software_version_minor": { + "type": "long" + }, + "software_version_minor2": { + "type": "long" + }, + "software_version_minor3": { + "type": "long" + }, + "ssh_auth_attempts": { + "type": "long" + }, + "ssh_auth_success": { + "type": "boolean" + }, + "ssh_cipher_alg": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_client": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_compression_alg": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_host_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_host_key_alg": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_kex_alg": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_mac_alg": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssh_version": { + "type": "long" + }, + "ssl_cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_client_cert_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_client_cert_chain_fuids": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_client_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_client_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_validation_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_validation_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssl_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "stats_active_dns_requests": { + "type": "long" + }, + "stats_active_files": { + "type": "long" + }, + "stats_active_icmp_conns": { + "type": "long" + }, + "stats_active_tcp_conns": { + "type": "long" + }, + "stats_active_timers": { + "type": "long" + }, + "stats_active_udp_conns": { + "type": "long" + }, + "stats_bytes_recv": { + "type": "long" + }, + "stats_dns_requests": { + "type": "long" + }, + "stats_event_proc": { + "type": "long" + }, + "stats_event_queued": { + "type": "long" + }, + "stats_files": { + "type": "long" + }, + "stats_icmp_conns": { + "type": "long" + }, + "stats_mem": { + "type": "long" + }, + "stats_peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "stats_pkt_lag": { + "type": "float" + }, + "stats_pkts_dropped": { + "type": "long" + }, + "stats_pkts_link": { + "type": "long" + }, + "stats_pkts_proc": { + "type": "long" + }, + "stats_reassem_file_size": { + "type": "long" + }, + "stats_reassem_frag_size": { + "type": "long" + }, + "stats_reassem_tcp_size": { + "type": "long" + }, + "stats_reassem_unknown_size": { + "type": "long" + }, + "stats_tcp_conns": { + "type": "long" + }, + "stats_timers": { + "type": "long" + }, + "stats_udp_conns": { + "type": "long" + }, + "tunnel_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "weird_addl": { + "ignore_above": 1024, + "type": "keyword" + }, + "weird_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "weird_notice": { + "type": "boolean" + }, + "weird_peer": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509_basic_constraints_ca": { + "type": "boolean" + }, + "x509_basic_constraints_path_len": { + "type": "long" + }, + "x509_certificate_issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509_certificate_key_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509_certificate_subject": { + "ignore_above": 1024, + "type": "keyword" + } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 3000, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-security" } } diff --git a/plugins/setup/src/main/resources/templates/streams/system-activity.json b/plugins/setup/src/main/resources/templates/streams/system-activity.json index 637017c5..65157f2d 100644 --- a/plugins/setup/src/main/resources/templates/streams/system-activity.json +++ b/plugins/setup/src/main/resources/templates/streams/system-activity.json @@ -1,10118 +1,10121 @@ { "index_patterns": [ - "wazuh-events-v5-system-activity-*" + "wazuh-events-v5-system-activity*" ], - "mappings": { - "date_detection": false, - "dynamic": "false", - "properties": { - "@timestamp": { - "type": "date" + "priority": 1, + "data_stream": {}, + "template": { + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "max_docvalue_fields_search": 200, + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" }, - "agent": { - "properties": { - "build": { - "properties": { - "original": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "groups": { - "ignore_above": 1024, - "type": "keyword" - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } + "mapping.nested_fields.limit": 50, + "mapping.total_fields.limit": 3000, + "plugins.index_state_management.rollover_alias": "wazuh-events-v5-system-activity" + }, + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } } }, - "type": "object" + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } } }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } + "type": "object" } }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "auditd": { - "properties": { - "ARCH": { - "ignore_above": 1024, - "type": "keyword" - }, - "AUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "EGID": { - "ignore_above": 1024, - "type": "keyword" - }, - "EUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "FSGID": { - "ignore_above": 1024, - "type": "keyword" - }, - "FSUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "GID": { - "ignore_above": 1024, - "type": "keyword" - }, - "SGID": { - "ignore_above": 1024, - "type": "keyword" - }, - "SUID": { - "ignore_above": 1024, - "type": "keyword" - }, - "SYSCALL": { - "ignore_above": 1024, - "type": "keyword" - }, - "a0": { - "ignore_above": 1024, - "type": "keyword" - }, - "a1": { - "ignore_above": 1024, - "type": "keyword" - }, - "a2": { - "ignore_above": 1024, - "type": "keyword" - }, - "a3": { - "ignore_above": 1024, - "type": "keyword" - }, - "a4": { - "ignore_above": 1024, - "type": "keyword" - }, - "apparmor": { - "ignore_above": 1024, - "type": "keyword" - }, - "audit_failure": { - "ignore_above": 1024, - "type": "keyword" - }, - "avc_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "avc_request": { - "ignore_above": 1024, - "type": "keyword" - }, - "capability": { - "ignore_above": 1024, - "type": "keyword" - }, - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "context": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "default-context": { - "ignore_above": 1024, - "type": "keyword" - }, - "dev": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "dst_prefixlen": { - "type": "long" - }, - "entries": { - "type": "long" - }, - "fam": { - "ignore_above": 1024, - "type": "keyword" - }, - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "fe": { - "ignore_above": 1024, - "type": "keyword" - }, - "fi": { - "ignore_above": 1024, - "type": "keyword" - }, - "format": { - "ignore_above": 1024, - "type": "keyword" - }, - "fp": { - "ignore_above": 1024, - "type": "keyword" - }, - "fver": { - "ignore_above": 1024, - "type": "keyword" - }, - "gpg_res": { - "ignore_above": 1024, - "type": "keyword" - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "img-ctx": { - "ignore_above": 1024, - "type": "keyword" - }, - "ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "interface": { - "ignore_above": 1024, - "type": "keyword" - }, - "item": { - "ignore_above": 1024, - "type": "keyword" - }, - "items": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "key_enforce": { - "type": "boolean" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "ksize": { - "type": "long" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "laddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "list": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "lport": { - "type": "long" - }, - "major": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nametype": { - "ignore_above": 1024, - "type": "keyword" - }, - "new-level": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_pe": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_pi": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_pp": { - "ignore_above": 1024, - "type": "keyword" - }, - "new_ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - }, - "obj": { - "ignore_above": 1024, - "type": "keyword" - }, - "objtype": { - "ignore_above": 1024, - "type": "keyword" - }, - "old": { - "ignore_above": 1024, - "type": "keyword" - }, - "old-level": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_auid": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pe": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pi": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_pp": { - "ignore_above": 1024, - "type": "keyword" - }, - "old_ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "op": { - "ignore_above": 1024, - "type": "keyword" - }, - "operation": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_field": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "peer_pid": { - "type": "long" - }, - "permissive": { - "ignore_above": 1024, - "type": "keyword" - }, - "pfs": { - "ignore_above": 1024, - "type": "keyword" - }, - "proctitle": { - "ignore_above": 1024, - "type": "keyword" - }, - "profile": { - "ignore_above": 1024, - "type": "keyword" - }, - "prog_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "rdev": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "record_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "request": { - "ignore_above": 1024, - "type": "keyword" - }, - "reset": { - "ignore_above": 1024, - "type": "keyword" - }, - "root_dir": { - "ignore_above": 1024, - "type": "keyword" - }, - "rport": { - "type": "long" - }, - "saddr": { - "ignore_above": 1024, - "type": "keyword" - }, - "saddr_fam": { - "ignore_above": 1024, - "type": "keyword" - }, - "sauid": { - "ignore_above": 1024, - "type": "keyword" - }, - "scontext": { - "ignore_above": 1024, - "type": "keyword" - }, - "selected-context": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence": { - "type": "long" - }, - "ses": { - "ignore_above": 1024, - "type": "keyword" - }, - "sig": { - "ignore_above": 1024, - "type": "keyword" - }, - "spid": { - "ignore_above": 1024, - "type": "keyword" - }, - "src_prefixlen": { - "type": "long" - }, - "subj": { - "ignore_above": 1024, - "type": "keyword" - }, - "success": { - "type": "boolean" - }, - "sw": { - "ignore_above": 1024, - "type": "keyword" - }, - "sw_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "syscall": { - "ignore_above": 1024, - "type": "keyword" - }, - "table": { - "ignore_above": 1024, - "type": "keyword" - }, - "tclass": { - "ignore_above": 1024, - "type": "keyword" - }, - "tcontext": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_audit_group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_audit_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_filesystem_group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_filesystem_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_owner_group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_owner_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_saved_group_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_saved_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_terminal": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "ver": { - "ignore_above": 1024, - "type": "keyword" - }, - "virt": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm": { - "ignore_above": 1024, - "type": "keyword" - }, - "vm-ctx": { - "ignore_above": 1024, - "type": "keyword" - }, - "xdevice": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "check": { - "properties": { - "compliance": { - "ignore_above": 1024, - "type": "keyword" - }, - "condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rationale": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - }, - "remediation": { - "ignore_above": 1024, - "type": "keyword" - }, - "result": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "client": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" } } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "cloud": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "target": { - "properties": { - "account": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "availability_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "instance": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "machine": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "project": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "region": { - "ignore_above": 1024, - "type": "keyword" - }, - "service": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "compliance": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "publisher": { - "ignore_above": 1024, - "type": "keyword" - }, - "requirement": { - "properties": { - "description": { - "type": "match_only_text" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "title": { - "type": "match_only_text" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "nested" - }, - "container": { - "properties": { - "cpu": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "image": { - "properties": { - "hash": { - "properties": { - "all": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "tag": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "labels": { - "type": "object" - }, - "memory": { - "properties": { - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "runtime": { - "ignore_above": 1024, - "type": "keyword" - }, - "security_context": { - "properties": { - "privileged": { - "type": "boolean" - } + "auditd": { + "properties": { + "ARCH": { + "ignore_above": 1024, + "type": "keyword" + }, + "AUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "EGID": { + "ignore_above": 1024, + "type": "keyword" + }, + "EUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "FSGID": { + "ignore_above": 1024, + "type": "keyword" + }, + "FSUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "GID": { + "ignore_above": 1024, + "type": "keyword" + }, + "SGID": { + "ignore_above": 1024, + "type": "keyword" + }, + "SUID": { + "ignore_above": 1024, + "type": "keyword" + }, + "SYSCALL": { + "ignore_above": 1024, + "type": "keyword" + }, + "a0": { + "ignore_above": 1024, + "type": "keyword" + }, + "a1": { + "ignore_above": 1024, + "type": "keyword" + }, + "a2": { + "ignore_above": 1024, + "type": "keyword" + }, + "a3": { + "ignore_above": 1024, + "type": "keyword" + }, + "a4": { + "ignore_above": 1024, + "type": "keyword" + }, + "apparmor": { + "ignore_above": 1024, + "type": "keyword" + }, + "audit_failure": { + "ignore_above": 1024, + "type": "keyword" + }, + "avc_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "avc_request": { + "ignore_above": 1024, + "type": "keyword" + }, + "capability": { + "ignore_above": 1024, + "type": "keyword" + }, + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "default-context": { + "ignore_above": 1024, + "type": "keyword" + }, + "dev": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "dst_prefixlen": { + "type": "long" + }, + "entries": { + "type": "long" + }, + "fam": { + "ignore_above": 1024, + "type": "keyword" + }, + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "fe": { + "ignore_above": 1024, + "type": "keyword" + }, + "fi": { + "ignore_above": 1024, + "type": "keyword" + }, + "format": { + "ignore_above": 1024, + "type": "keyword" + }, + "fp": { + "ignore_above": 1024, + "type": "keyword" + }, + "fver": { + "ignore_above": 1024, + "type": "keyword" + }, + "gpg_res": { + "ignore_above": 1024, + "type": "keyword" + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "img-ctx": { + "ignore_above": 1024, + "type": "keyword" + }, + "ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "interface": { + "ignore_above": 1024, + "type": "keyword" + }, + "item": { + "ignore_above": 1024, + "type": "keyword" + }, + "items": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "key_enforce": { + "type": "boolean" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "ksize": { + "type": "long" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "laddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "list": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "lport": { + "type": "long" + }, + "major": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nametype": { + "ignore_above": 1024, + "type": "keyword" + }, + "new-level": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_pe": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_pi": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_pp": { + "ignore_above": 1024, + "type": "keyword" + }, + "new_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + }, + "obj": { + "ignore_above": 1024, + "type": "keyword" + }, + "objtype": { + "ignore_above": 1024, + "type": "keyword" + }, + "old": { + "ignore_above": 1024, + "type": "keyword" + }, + "old-level": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_auid": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_pe": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_pi": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_pp": { + "ignore_above": 1024, + "type": "keyword" + }, + "old_ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "op": { + "ignore_above": 1024, + "type": "keyword" + }, + "operation": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_field": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "peer_pid": { + "type": "long" + }, + "permissive": { + "ignore_above": 1024, + "type": "keyword" + }, + "pfs": { + "ignore_above": 1024, + "type": "keyword" + }, + "proctitle": { + "ignore_above": 1024, + "type": "keyword" + }, + "profile": { + "ignore_above": 1024, + "type": "keyword" + }, + "prog_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "rdev": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "request": { + "ignore_above": 1024, + "type": "keyword" + }, + "reset": { + "ignore_above": 1024, + "type": "keyword" + }, + "root_dir": { + "ignore_above": 1024, + "type": "keyword" + }, + "rport": { + "type": "long" + }, + "saddr": { + "ignore_above": 1024, + "type": "keyword" + }, + "saddr_fam": { + "ignore_above": 1024, + "type": "keyword" + }, + "sauid": { + "ignore_above": 1024, + "type": "keyword" + }, + "scontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "selected-context": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence": { + "type": "long" + }, + "ses": { + "ignore_above": 1024, + "type": "keyword" + }, + "sig": { + "ignore_above": 1024, + "type": "keyword" + }, + "spid": { + "ignore_above": 1024, + "type": "keyword" + }, + "src_prefixlen": { + "type": "long" + }, + "subj": { + "ignore_above": 1024, + "type": "keyword" + }, + "success": { + "type": "boolean" + }, + "sw": { + "ignore_above": 1024, + "type": "keyword" + }, + "sw_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "syscall": { + "ignore_above": 1024, + "type": "keyword" + }, + "table": { + "ignore_above": 1024, + "type": "keyword" + }, + "tclass": { + "ignore_above": 1024, + "type": "keyword" + }, + "tcontext": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_audit_group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_audit_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_filesystem_group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_filesystem_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_owner_group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_owner_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_saved_group_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_saved_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_terminal": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "ver": { + "ignore_above": 1024, + "type": "keyword" + }, + "virt": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm": { + "ignore_above": 1024, + "type": "keyword" + }, + "vm-ctx": { + "ignore_above": 1024, + "type": "keyword" + }, + "xdevice": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "data_stream": { - "properties": { - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "destination": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "device": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "manufacturer": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "properties": { - "identifier": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dll": { - "properties": { - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" }, - "type": "nested" - } - } - } - } - }, - "dns": { - "properties": { - "answers": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "ttl": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } }, - "type": "object" - }, - "header_flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "op_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "question": { - "properties": { - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "resolved_ip": { - "type": "ip" - }, - "response_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "email": { - "properties": { - "attachments": { - "properties": { - "file": { - "properties": { - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "compliance": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "publisher": { + "ignore_above": 1024, + "type": "keyword" + }, + "requirement": { + "properties": { + "description": { + "type": "match_only_text" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "title": { + "type": "match_only_text" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "stack_trace": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 2083, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "size": { - "type": "long" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "gen_ai": { + "properties": { + "agent": { + "properties": { + "description": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "operation": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "output": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "request": { + "properties": { + "choice": { + "properties": { + "count": { + "type": "integer" + } + } + }, + "encoding_formats": { + "ignore_above": 1024, + "type": "keyword" + }, + "frequency_penalty": { + "type": "double" + }, + "max_tokens": { + "type": "integer" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + }, + "presence_penalty": { + "type": "double" + }, + "seed": { + "type": "integer" + }, + "stop_sequences": { + "ignore_above": 1024, + "type": "keyword" + }, + "temperature": { + "type": "double" + }, + "top_k": { + "type": "double" + }, + "top_p": { + "type": "double" + } + } + }, + "response": { + "properties": { + "finish_reasons": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "system": { + "ignore_above": 1024, + "type": "keyword" + }, + "token": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tool": { + "properties": { + "call": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "usage": { + "properties": { + "input_tokens": { + "type": "integer" + }, + "output_tokens": { + "type": "integer" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } } } } }, - "type": "nested" - }, - "bcc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cc": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "content_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "delivery_timestamp": { - "type": "date" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "from": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "local_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "origination_timestamp": { - "type": "date" - }, - "reply_to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sender": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "to": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x_mailer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "error": { - "properties": { - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "stack_trace": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "event": { - "properties": { - "action": { - "ignore_above": 1024, - "type": "keyword" - }, - "agent_id_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "changed_fields": { - "ignore_above": 1024, - "type": "keyword" - }, - "code": { - "ignore_above": 1024, - "type": "keyword" - }, - "collector": { - "ignore_above": 1024, - "type": "keyword" - }, - "created": { - "type": "date" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "end": { - "type": "date" - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingested": { - "type": "date" - }, - "kind": { - "ignore_above": 1024, - "type": "keyword" - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "outcome": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk_score": { - "type": "float" - }, - "risk_score_norm": { - "type": "float" - }, - "sequence": { - "type": "long" - }, - "severity": { - "type": "long" - }, - "start": { - "type": "date" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 2083, - "type": "keyword" - } - } - }, - "faas": { - "properties": { - "coldstart": { - "type": "boolean" - }, - "execution": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trigger": { - "properties": { - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "continent_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "continent_name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "gen_ai": { - "properties": { - "agent": { - "properties": { - "description": { - "doc_values": false, - "index": false, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "operation": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "output": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "request": { - "properties": { - "choice": { - "properties": { - "count": { - "type": "integer" - } - } - }, - "encoding_formats": { - "ignore_above": 1024, - "type": "keyword" - }, - "frequency_penalty": { - "type": "double" - }, - "max_tokens": { - "type": "integer" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - }, - "presence_penalty": { - "type": "double" - }, - "seed": { - "type": "integer" - }, - "stop_sequences": { - "ignore_above": 1024, - "type": "keyword" - }, - "temperature": { - "type": "double" - }, - "top_k": { - "type": "double" - }, - "top_p": { - "type": "double" - } - } - }, - "response": { - "properties": { - "finish_reasons": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "model": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "system": { - "ignore_above": 1024, - "type": "keyword" - }, - "token": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tool": { - "properties": { - "call": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "usage": { - "properties": { - "input_tokens": { - "type": "integer" - }, - "output_tokens": { - "type": "integer" - } - } - } - } - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "host": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "boot": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "cpu": { - "properties": { - "cores": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "speed": { - "type": "long" - }, - "usage": { - "scaling_factor": 1000, - "type": "scaled_float" } }, - "type": "object" - }, - "disk": { - "properties": { - "read": { - "properties": { - "bytes": { - "type": "long" - } + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } }, - "write": { - "properties": { - "bytes": { - "type": "long" - } - } - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "memory": { - "properties": { - "free": { - "type": "long" - }, - "total": { - "type": "long" - }, - "used": { - "properties": { - "percentage": { - "type": "long" + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } }, - "type": "object" - } - }, - "type": "object" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "network": { - "properties": { - "egress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - }, - "ingress": { - "properties": { - "bytes": { - "type": "long" - }, - "drops": { - "type": "long" - }, - "errors": { - "type": "long" - }, - "packets": { - "type": "long" - }, - "queue": { - "type": "long" - } - } - } - } - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pid_ns_ino": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uptime": { - "type": "long" - } - } - }, - "http": { - "properties": { - "request": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "method": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "referrer": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "response": { - "properties": { - "body": { - "properties": { - "bytes": { - "type": "long" - }, - "content": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "bytes": { - "type": "long" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "status_code": { - "type": "long" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "log": { - "properties": { - "file": { - "properties": { - "path": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "level": { - "ignore_above": 1024, - "type": "keyword" - }, - "logger": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin": { - "properties": { - "file": { - "properties": { - "line": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "function": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "syslog": { - "properties": { - "appname": { - "ignore_above": 1024, - "type": "keyword" - }, - "facility": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "msgid": { - "ignore_above": 1024, - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "procid": { - "ignore_above": 1024, - "type": "keyword" - }, - "severity": { - "properties": { - "code": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "structured_data": { - "type": "flat_object" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "object" - } - } - }, - "macos_uls": { - "properties": { - "auth_method": { - "ignore_above": 1024, - "type": "keyword" - }, - "ipc_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "macos_entitlement": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "message": { - "ignore_above": 1024, - "type": "keyword" - }, - "microsoft": { - "properties": { - "dhcp": { - "properties": { - "correlation_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhc_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dns_error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "duid_hex": { - "ignore_above": 1024, - "type": "keyword" - }, - "duid_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "probation_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "q_result": { - "ignore_above": 1024, - "type": "keyword" - }, - "relay_agent_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "result_description": { - "ignore_above": 1024, - "type": "keyword" - }, - "subnet_prefix": { - "ignore_above": 1024, - "type": "keyword" - }, - "transaction_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_hex": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_string": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_hex": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_string": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "dnsserver_analytical_additional_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_cache_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_dnssec": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_elapsed_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_packet_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_policy_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_queries_attached": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_qxid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_reason": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_recursion_depth": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_recursion_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_secure": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_analytical_zone_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_active_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_base64_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_child_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_client_subnet_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_client_subnet_record": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_condition": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_criteria": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_crypto_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_current_rollover_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_current_state": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_denial_of_existence": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_digest": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_digest_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_distribute_trust_anchor": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_ds_record_generation_algorithmAction": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_ds_record_set_ttl": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_ds_signature_validity_period": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_enable_rfc_5011_key_rollover": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_errors_per_second": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_event_string": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_forwarders": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_friendly_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_initial_rollover_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_ipv4_prefix_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_ipv6_prefix_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_is_enabled": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_is_key_master_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_master_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_or_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_record_set_ttl": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_signature_validity_period": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_storage_provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_tag": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_key_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_ksk_or_zsk": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_last_rollover_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_leak_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_listen_addresses": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_master_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_name_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_new_friendly_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_new_property_values": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_new_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_new_value": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_next_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_next_rollover_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_next_rollover_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_node_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_nsec3_hash_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_nsec3_iterations": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_nsec3_opt_out": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_nsec3_random_salt_length": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_nsec3_user_salt": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_old_friendly_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_old_property_values": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_old_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_parent_has_secure_delegation": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_policy": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_processing_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_propagation_time": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_property_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_recursion_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_resolved_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_response_per_second": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_rollover_period": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_rollover_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_rrl_exception_list": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_scavenge_servers": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_scope_weight": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_scope_weight_new": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_scope_weight_old": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_scopes": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_secure_delegation_polling_period": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_seized_or_transfered": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_setting": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_signature_inception_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_standby_key": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_store_keys_in_AD": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_subtree_aging": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_tc_rate": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_total_responses_in_window": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_virtualization_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_window_size": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_with_new_keys": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_with_without": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_zone": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_zone_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "dnsserver_audit_zone_signature_validity_period": { - "ignore_above": 1024, - "type": "keyword" - }, - "exchange": { - "properties": { - "account_forest_latency_breakup": { - "ignore_above": 1024, - "type": "keyword" - }, - "activity_context_lifetime": { - "type": "long" - }, - "ad_latency": { - "type": "long" - }, - "anchor_mailbox": { - "ignore_above": 1024, - "type": "keyword" - }, - "auth_module_perf_context": { - "ignore_above": 1024, - "type": "keyword" - }, - "authenticated_user": { - "ignore_above": 1024, - "type": "keyword" - }, - "authentication_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_cookie": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_generic_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "backend_processing_latency": { - "type": "long" - }, - "backend_request_init_latency": { - "type": "long" - }, - "backend_request_stream_latency": { - "type": "long" - }, - "backend_response_init_latency": { - "type": "long" - }, - "backend_response_stream_latency": { - "type": "long" - }, - "backend_status": { - "type": "long" - }, - "build_version": { - "type": "long" - }, - "calculate_target_backend_latency": { - "type": "long" - }, - "cip": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_ip_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "client_request_stream_latency": { - "type": "long" - }, - "client_response_stream_latency": { - "type": "long" - }, - "command": { - "ignore_above": 1024, - "type": "keyword" - }, - "connector_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "context": { - "ignore_above": 1024, - "type": "keyword" - }, - "core_latency": { - "type": "long" - }, - "custom_data": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "database_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "duration": { - "type": "long" - }, - "edge_trace_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "error_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "event": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "generic_errors": { - "ignore_above": 1024, - "type": "keyword" - }, - "generic_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "gls_latency_breakup": { - "ignore_above": 1024, - "type": "keyword" - }, - "handler_completion_latency": { - "type": "long" - }, - "handler_to_module_switching_latency": { - "type": "long" - }, - "http_pipeline_latency": { - "type": "long" - }, - "http_proxy_overhead": { - "type": "long" - }, - "internal_message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "is_authenticated": { - "type": "boolean" - }, - "kerberos_auth_header_latency": { - "type": "long" - }, - "local_endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "log_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "major_version": { - "type": "long" - }, - "message_info": { - "ignore_above": 1024, - "type": "keyword" - }, - "minor_version": { - "type": "long" - }, - "module_to_handler_switching_latency": { - "type": "long" - }, - "network_message_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_client_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_server_ip": { - "ignore_above": 1024, - "type": "keyword" - }, - "parameters": { - "ignore_above": 1024, - "type": "keyword" - }, - "partition_endpoint_lookup_latency": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "protocol_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy_action": { - "ignore_above": 1024, - "type": "keyword" - }, - "proxy_time": { - "type": "long" - }, - "puid": { - "ignore_above": 1024, - "type": "keyword" - }, - "recipient_count": { - "type": "long" - }, - "recipient_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "related_recipient_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "remote_endpoint": { - "ignore_above": 1024, - "type": "keyword" - }, - "request_handler_latency": { - "type": "long" - }, - "request_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource_forest_latency_breakup": { - "ignore_above": 1024, - "type": "keyword" - }, - "return_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "revision_version": { - "type": "long" - }, - "route_refresher_latency": { - "type": "long" - }, - "routing_hint": { - "ignore_above": 1024, - "type": "keyword" - }, - "routing_latency": { - "type": "long" - }, - "routing_status": { - "ignore_above": 1024, - "type": "keyword" - }, - "routing_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "rpsize": { - "type": "long" - }, - "rqsize": { - "type": "long" - }, - "schema_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "sender_address": { - "ignore_above": 1024, - "type": "keyword" - }, - "sequence_number": { - "type": "long" - }, - "server_locator_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "server_locator_latency": { - "type": "long" - }, - "session_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "shared_cache_latency_breakup": { - "ignore_above": 1024, - "type": "keyword" - }, - "sip": { - "ignore_above": 1024, - "type": "keyword" - }, - "source": { - "ignore_above": 1024, - "type": "keyword" - }, - "source_context": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_outstanding_requests": { - "type": "long" - }, - "target_server": { - "ignore_above": 1024, - "type": "keyword" - }, - "target_server_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "tenant_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_account_forest_latency": { - "type": "long" - }, - "total_gls_latency": { - "type": "long" - }, - "total_request_time": { - "type": "long" - }, - "total_resource_forest_latency": { - "type": "long" - }, - "total_shared_cache_latency": { - "type": "long" - }, - "transport_traffic_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url_host": { - "ignore_above": 1024, - "type": "keyword" - }, - "url_stem": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" - }, - "user_ad_object_guid": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "network": { - "properties": { - "application": { - "ignore_above": 1024, - "type": "keyword" - }, - "broadcast": { - "type": "ip" - }, - "bytes": { - "type": "long" - }, - "community_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "dhcp": { - "ignore_above": 1024, - "type": "keyword" - }, - "direction": { - "ignore_above": 1024, - "type": "keyword" - }, - "forwarded_ip": { - "type": "ip" - }, - "gateway": { - "type": "ip" - }, - "iana_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "inner": { - "properties": { - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } } } } }, - "type": "object" - }, - "metric": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "netmask": { - "type": "ip" - }, - "packets": { - "type": "long" - }, - "protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "transport": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } }, - "name": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + } + } + }, + "macos_uls": { + "properties": { + "auth_method": { + "ignore_above": 1024, + "type": "keyword" + }, + "ipc_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "macos_entitlement": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "message": { + "ignore_above": 1024, + "type": "keyword" + }, + "microsoft": { + "properties": { + "dhcp": { + "properties": { + "correlation_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhc_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dns_error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid_hex": { + "ignore_above": 1024, + "type": "keyword" + }, + "duid_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "probation_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "q_result": { + "ignore_above": 1024, + "type": "keyword" + }, + "relay_agent_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "result_description": { + "ignore_above": 1024, + "type": "keyword" + }, + "subnet_prefix": { + "ignore_above": 1024, + "type": "keyword" + }, + "transaction_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_hex": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_hex": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_string": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "dnsserver_analytical_additional_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_cache_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_dnssec": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_elapsed_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_packet_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_policy_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_queries_attached": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_qxid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_recursion_depth": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_recursion_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_secure": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_analytical_zone_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_active_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_base64_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_child_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_client_subnet_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_client_subnet_record": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_criteria": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_crypto_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_current_rollover_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_current_state": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_denial_of_existence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_digest": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_digest_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_distribute_trust_anchor": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_ds_record_generation_algorithmAction": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_ds_record_set_ttl": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_ds_signature_validity_period": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_enable_rfc_5011_key_rollover": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_errors_per_second": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_event_string": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_forwarders": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_friendly_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_initial_rollover_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_ipv4_prefix_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_ipv6_prefix_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_is_enabled": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_is_key_master_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_master_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_or_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_record_set_ttl": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_signature_validity_period": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_storage_provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_tag": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_key_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_ksk_or_zsk": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_last_rollover_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_leak_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_listen_addresses": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_master_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_name_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_new_friendly_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_new_property_values": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_new_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_new_value": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_next_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_next_rollover_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_next_rollover_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_node_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_nsec3_hash_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_nsec3_iterations": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_nsec3_opt_out": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_nsec3_random_salt_length": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_nsec3_user_salt": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_old_friendly_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_old_property_values": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_old_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_parent_has_secure_delegation": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_policy": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_processing_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_propagation_time": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_property_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_recursion_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_resolved_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_response_per_second": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_rollover_period": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_rollover_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_rrl_exception_list": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_scavenge_servers": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_scope_weight": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_scope_weight_new": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_scope_weight_old": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_scopes": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_secure_delegation_polling_period": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_seized_or_transfered": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_setting": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_signature_inception_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_standby_key": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_store_keys_in_AD": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_subtree_aging": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_tc_rate": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_total_responses_in_window": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_virtualization_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_window_size": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_with_new_keys": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_with_without": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_zone_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "dnsserver_audit_zone_signature_validity_period": { + "ignore_above": 1024, + "type": "keyword" + }, + "exchange": { + "properties": { + "account_forest_latency_breakup": { + "ignore_above": 1024, + "type": "keyword" + }, + "activity_context_lifetime": { + "type": "long" + }, + "ad_latency": { + "type": "long" + }, + "anchor_mailbox": { + "ignore_above": 1024, + "type": "keyword" + }, + "auth_module_perf_context": { + "ignore_above": 1024, + "type": "keyword" + }, + "authenticated_user": { + "ignore_above": 1024, + "type": "keyword" + }, + "authentication_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_cookie": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_generic_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "backend_processing_latency": { + "type": "long" + }, + "backend_request_init_latency": { + "type": "long" + }, + "backend_request_stream_latency": { + "type": "long" + }, + "backend_response_init_latency": { + "type": "long" + }, + "backend_response_stream_latency": { + "type": "long" + }, + "backend_status": { + "type": "long" + }, + "build_version": { + "type": "long" + }, + "calculate_target_backend_latency": { + "type": "long" + }, + "cip": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_ip_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "client_request_stream_latency": { + "type": "long" + }, + "client_response_stream_latency": { + "type": "long" + }, + "command": { + "ignore_above": 1024, + "type": "keyword" + }, + "connector_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "context": { + "ignore_above": 1024, + "type": "keyword" + }, + "core_latency": { + "type": "long" + }, + "custom_data": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "database_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "edge_trace_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "error_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "event": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "generic_errors": { + "ignore_above": 1024, + "type": "keyword" + }, + "generic_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "gls_latency_breakup": { + "ignore_above": 1024, + "type": "keyword" + }, + "handler_completion_latency": { + "type": "long" + }, + "handler_to_module_switching_latency": { + "type": "long" + }, + "http_pipeline_latency": { + "type": "long" + }, + "http_proxy_overhead": { + "type": "long" + }, + "internal_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "is_authenticated": { + "type": "boolean" + }, + "kerberos_auth_header_latency": { + "type": "long" + }, + "local_endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "log_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "major_version": { + "type": "long" + }, + "message_info": { + "ignore_above": 1024, + "type": "keyword" + }, + "minor_version": { + "type": "long" + }, + "module_to_handler_switching_latency": { + "type": "long" + }, + "network_message_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_client_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_server_ip": { + "ignore_above": 1024, + "type": "keyword" + }, + "parameters": { + "ignore_above": 1024, + "type": "keyword" + }, + "partition_endpoint_lookup_latency": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "protocol_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_action": { + "ignore_above": 1024, + "type": "keyword" + }, + "proxy_time": { + "type": "long" + }, + "puid": { + "ignore_above": 1024, + "type": "keyword" + }, + "recipient_count": { + "type": "long" + }, + "recipient_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "related_recipient_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "remote_endpoint": { + "ignore_above": 1024, + "type": "keyword" + }, + "request_handler_latency": { + "type": "long" + }, + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource_forest_latency_breakup": { + "ignore_above": 1024, + "type": "keyword" + }, + "return_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "revision_version": { + "type": "long" + }, + "route_refresher_latency": { + "type": "long" + }, + "routing_hint": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing_latency": { + "type": "long" + }, + "routing_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "routing_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "rpsize": { + "type": "long" + }, + "rqsize": { + "type": "long" + }, + "schema_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "sender_address": { + "ignore_above": 1024, + "type": "keyword" + }, + "sequence_number": { + "type": "long" + }, + "server_locator_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "server_locator_latency": { + "type": "long" + }, + "session_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "shared_cache_latency_breakup": { + "ignore_above": 1024, + "type": "keyword" + }, + "sip": { + "ignore_above": 1024, + "type": "keyword" + }, + "source": { + "ignore_above": 1024, + "type": "keyword" + }, + "source_context": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_outstanding_requests": { + "type": "long" + }, + "target_server": { + "ignore_above": 1024, + "type": "keyword" + }, + "target_server_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "tenant_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_account_forest_latency": { + "type": "long" + }, + "total_gls_latency": { + "type": "long" + }, + "total_request_time": { + "type": "long" + }, + "total_resource_forest_latency": { + "type": "long" + }, + "total_shared_cache_latency": { + "type": "long" + }, + "transport_traffic_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_host": { + "ignore_above": 1024, + "type": "keyword" + }, + "url_stem": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + }, + "user_ad_object_guid": { + "ignore_above": 1024, + "type": "keyword" + } } } } - } - }, - "observer": { - "properties": { - "egress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "observer": { - "properties": { - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hostname": { - "ignore_above": 1024, - "type": "keyword" - }, - "ingress": { - "properties": { - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "zone": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "orchestrator": { - "properties": { - "api_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "cluster": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "namespace": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "resource": { - "properties": { - "annotation": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "label": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "organization": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "package": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "build_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "checksum": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "install_scope": { - "ignore_above": 1024, - "type": "keyword" - }, - "installed": { - "type": "date" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "policy": { - "properties": { - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "references": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "powershell": { - "properties": { - "command": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "script_block_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "script_block_text": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sequence": { - "type": "long" - }, - "total": { - "type": "long" - } - } - }, - "process": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "name": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "attested_groups": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "attested_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "entry_meta": { - "properties": { - "source": { - "properties": { - "ip": { - "type": "ip" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } + "url": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "version": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "env_vars": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "io": { - "properties": { - "bytes_skipped": { - "properties": { - "length": { - "type": "long" - }, - "offset": { - "type": "long" - } - }, - "type": "object" - }, - "max_bytes_per_process_exceeded": { - "type": "boolean" - }, - "text": { - "ignore_above": 1024, - "type": "keyword" - }, - "total_bytes_captured": { - "type": "long" - }, - "total_bytes_skipped": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "end": { - "type": "date" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "exit_code": { - "type": "long" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "group_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "macho": { - "properties": { - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - }, - "symhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" } } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } - }, - "type": "nested" - } - } - }, - "pid": { - "type": "long" - }, - "previous": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "session_leader": { - "properties": { - "args": { - "ignore_above": 1024, - "type": "keyword" - }, - "args_count": { - "type": "long" - }, - "command_line": { - "ignore_above": 1024, - "type": "keyword" - }, - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "executable": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "interactive": { - "type": "boolean" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "parent": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "session_leader": { - "properties": { - "entity_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "start": { - "type": "date" - }, - "vpid": { - "type": "long" - } - } - }, - "pid": { - "type": "long" - }, - "real_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "real_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "same_as_process": { - "type": "boolean" - }, - "saved_group": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "saved_user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - } - }, - "type": "object" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "start": { - "type": "date" - }, - "supplemental_groups": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "thread": { - "properties": { - "capabilities": { - "properties": { - "effective": { - "ignore_above": 1024, - "type": "keyword" - }, - "permitted": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "id": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "title": { - "ignore_above": 1024, - "type": "keyword" - }, - "tty": { - "properties": { - "char_device": { - "properties": { - "major": { - "type": "long" - }, - "minor": { - "type": "long" - } - } - }, - "columns": { - "type": "long" - }, - "rows": { - "type": "long" } }, - "type": "object" - }, - "uptime": { - "type": "long" - }, - "user": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + "type": { + "ignore_above": 1024, + "type": "keyword" } - }, - "vpid": { - "type": "long" - }, - "working_directory": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" } - } - }, - "related": { - "properties": { - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "hosts": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "user": { - "ignore_above": 1024, - "type": "keyword" + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "rule": { - "properties": { - "author": { - "ignore_above": 1024, - "type": "keyword" - }, - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "license": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "ruleset": { - "ignore_above": 1024, - "type": "keyword" - }, - "uuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "server": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "powershell": { + "properties": { + "command": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" } } - } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "service": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "origin": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "environment": { - "ignore_above": 1024, - "type": "keyword" - }, - "ephemeral_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "role": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "state": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "source": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "file": { + "properties": { + "script_block_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "script_block_text": { + "ignore_above": 1024, + "type": "keyword" } } + }, + "sequence": { + "type": "long" + }, + "total": { + "type": "long" } - }, - "bytes": { - "type": "long" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "mac": { - "ignore_above": 1024, - "type": "keyword" - }, - "nat": { - "properties": { - "ip": { - "type": "ip" - }, - "port": { - "type": "long" - } - } - }, - "packets": { - "type": "long" - }, - "port": { - "type": "long" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "user": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" } - } - } - } - }, - "span": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "sysmon": { - "properties": { - "dns": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "file": { - "properties": { - "archived": { - "type": "boolean" - }, - "is_executable": { - "type": "boolean" - } - } - } - } - }, - "threat": { - "properties": { - "enrichments": { - "properties": { - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" } } } }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } } } }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "ignore_above": 1024, + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" } }, - "created": { - "type": "date" + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } }, - "ctime": { - "type": "date" + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "device": { - "ignore_above": 1024, - "type": "keyword" + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "ignore_above": 1024, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sysmon": { + "properties": { + "dns": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "archived": { + "type": "boolean" + }, + "is_executable": { + "type": "boolean" + } + } + } + } + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } + "exists": { + "type": "boolean" }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" - } + "flags": { + "ignore_above": 1024, + "type": "keyword" }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "object" - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "index": { - "ignore_above": 1024, - "type": "keyword" - }, - "occurred": { - "type": "date" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - }, - "type": "nested" - }, - "feed": { - "properties": { - "dashboard_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "framework": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "indicator": { - "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "file": { - "properties": { - "accessed": { - "type": "date" - }, - "attributes": { - "ignore_above": 1024, - "type": "keyword" - }, - "code_signature": { - "properties": { - "digest_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "exists": { - "type": "boolean" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "signing_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "team_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "thumbprint_sha256": { - "ignore_above": 64, - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "trusted": { - "type": "boolean" - }, - "valid": { - "type": "boolean" - } - } - }, - "created": { - "type": "date" - }, - "ctime": { - "type": "date" - }, - "device": { - "ignore_above": 1024, - "type": "keyword" - }, - "directory": { - "ignore_above": 1024, - "type": "keyword" - }, - "drive_letter": { - "ignore_above": 1, - "type": "keyword" - }, - "elf": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "byte_order": { - "ignore_above": 1024, - "type": "keyword" - }, - "cpu_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "creation_date": { - "type": "date" - }, - "exports": { - "type": "flat_object" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "header": { - "properties": { - "abi_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "class": { - "ignore_above": 1024, - "type": "keyword" - }, - "data": { - "ignore_above": 1024, - "type": "keyword" - }, - "entrypoint": { - "type": "long" - }, - "object_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "os_abi": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "sections": { - "properties": { - "chi2": { - "type": "long" - }, - "entropy": { - "type": "long" - }, - "flags": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_offset": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "var_entropy": { - "type": "long" - }, - "virtual_address": { - "type": "long" - }, - "virtual_size": { - "type": "long" } }, - "type": "nested" - }, - "segments": { - "properties": { - "sections": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - }, - "shared_libraries": { - "ignore_above": 1024, - "type": "keyword" - }, - "telfhash": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fork_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "gid": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "cdhash": { - "ignore_above": 1024, - "type": "keyword" - }, - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha384": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - }, - "ssdeep": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlsh": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "inode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mime_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mode": { - "ignore_above": 1024, - "type": "keyword" - }, - "mtime": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "origin_referrer_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "origin_url": { - "ignore_above": 8192, - "type": "keyword" - }, - "owner": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "pe": { - "properties": { - "architecture": { - "ignore_above": 1024, - "type": "keyword" - }, - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "go_imports": { - "type": "flat_object" - }, - "go_imports_names_entropy": { - "type": "long" - }, - "go_imports_names_var_entropy": { - "type": "long" - }, - "go_stripped": { - "type": "boolean" - }, - "imphash": { - "ignore_above": 1024, - "type": "keyword" - }, - "import_hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "imports": { - "type": "flat_object" - }, - "imports_names_entropy": { - "type": "long" - }, - "imports_names_var_entropy": { - "type": "long" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "pehash": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - }, - "sections": { - "properties": { - "entropy": { - "type": "long" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "physical_size": { - "type": "long" - }, - "var_entropy": { - "type": "long" - }, - "virtual_size": { - "type": "long" + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } } }, - "type": "nested" - } - } - }, - "size": { - "type": "long" - }, - "target_path": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "uid": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "postal_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "timezone": { - "ignore_above": 1024, - "type": "keyword" - } + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - }, - "tlp_version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "modified_at": { - "type": "date" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "registry": { - "properties": { - "data": { - "properties": { - "bytes": { - "ignore_above": 1024, - "type": "keyword" - }, - "strings": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hive": { - "ignore_above": 1024, - "type": "keyword" - }, - "key": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "value": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "software": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platforms": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "technique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "subtechnique": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - } - } - }, - "tls": { - "properties": { - "cipher": { - "ignore_above": 1024, - "type": "keyword" - }, - "client": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "server_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "supported_ciphers": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "established": { - "type": "boolean" - }, - "next_protocol": { - "ignore_above": 1024, - "type": "keyword" - }, - "resumed": { - "type": "boolean" - }, - "server": { - "properties": { - "certificate": { - "ignore_above": 1024, - "type": "keyword" - }, - "certificate_chain": { - "ignore_above": 1024, - "type": "keyword" - }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "issuer": { - "ignore_above": 1024, - "type": "keyword" - }, - "ja3s": { - "ignore_above": 1024, - "type": "keyword" - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "subject": { - "ignore_above": 1024, - "type": "keyword" - }, - "x509": { - "properties": { - "alternative_names": { - "ignore_above": 1024, - "type": "keyword" - }, - "issuer": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "not_after": { - "type": "date" - }, - "not_before": { - "type": "date" - }, - "public_key_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_curve": { - "ignore_above": 1024, - "type": "keyword" - }, - "public_key_exponent": { - "doc_values": false, - "index": false, - "type": "long" - }, - "public_key_size": { - "type": "long" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "signature_algorithm": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject": { - "properties": { - "common_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country": { - "ignore_above": 1024, - "type": "keyword" - }, - "distinguished_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "locality": { - "ignore_above": 1024, - "type": "keyword" - }, - "organization": { - "ignore_above": 1024, - "type": "keyword" - }, - "organizational_unit": { - "ignore_above": 1024, - "type": "keyword" - }, - "state_or_province": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version_number": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - }, - "version_protocol": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "trace": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "transaction": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "url": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "extension": { - "ignore_above": 1024, - "type": "keyword" - }, - "fragment": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "password": { - "ignore_above": 1024, - "type": "keyword" - }, - "path": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "query": { - "ignore_above": 2083, - "type": "keyword" - }, - "registered_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "scheme": { - "ignore_above": 1024, - "type": "keyword" - }, - "subdomain": { - "ignore_above": 1024, - "type": "keyword" - }, - "top_level_domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "username": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "user": { - "properties": { - "changes": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "effective": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "risk": { - "properties": { - "calculated_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "calculated_score": { - "type": "float" - }, - "calculated_score_norm": { - "type": "float" - }, - "static_level": { - "ignore_above": 1024, - "type": "keyword" - }, - "static_score": { - "type": "float" - }, - "static_score_norm": { - "type": "float" - } - } - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - }, - "target": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "ignore_above": 1024, - "type": "keyword" - }, - "full_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "group": { - "properties": { - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "hash": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "roles": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "user_agent": { - "properties": { - "device": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "original": { - "ignore_above": 1024, - "type": "keyword" - }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "volume": { - "properties": { - "bus_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "default_access": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "device_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "dos_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_system_type": { - "ignore_above": 1024, - "type": "keyword" - }, - "mount_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "nt_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "product_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "removable": { - "type": "boolean" - }, - "serial_number": { - "ignore_above": 1024, - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "writable": { - "type": "boolean" - } - } - }, - "vulnerability": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "classification": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "enumeration": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "report_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner": { - "properties": { - "reference": { - "ignore_above": 1024, - "type": "keyword" - }, - "vendor": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "score": { - "properties": { - "base": { - "type": "float" - }, - "environmental": { - "type": "float" - }, - "temporal": { - "type": "float" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "severity": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "wazuh": { - "properties": { - "cluster": { - "properties": { - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "node": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "integration": { - "properties": { - "category": { - "ignore_above": 1024, - "type": "keyword" - }, - "decoders": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "rules": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "protocol": { - "properties": { - "location": { - "ignore_above": 1024, - "type": "keyword" - }, - "queue": { - "type": "byte" - } - } - }, - "schema": { - "properties": { - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "windows": { - "properties": { - "EventData": { - "properties": { - "AuthenticationPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "ElevatedToken": { - "ignore_above": 1024, - "type": "keyword" - }, - "ImpersonationLevel": { - "ignore_above": 1024, - "type": "keyword" - }, - "IpAddress": { - "type": "ip" - }, - "IpPort": { - "type": "long" - }, - "KeyLength": { - "type": "long" - }, - "LmPackageName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonGuid": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "LogonType": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessId": { - "ignore_above": 1024, - "type": "keyword" - }, - "ProcessName": { - "ignore_above": 1024, - "type": "keyword" - }, - "RestrictedAdminMode": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "SubjectUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLinkedLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetLogonId": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetOutboundDomainName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetOutboundUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserName": { - "ignore_above": 1024, - "type": "keyword" - }, - "TargetUserSid": { - "ignore_above": 1024, - "type": "keyword" - }, - "TransmittedServices": { - "ignore_above": 1024, - "type": "keyword" - }, - "VirtualAccount": { - "ignore_above": 1024, - "type": "keyword" - }, - "WorkstationName": { - "ignore_above": 1024, - "type": "keyword" } }, - "type": "object" - }, - "System": { - "properties": { - "Channel": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" - } + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" } - }, - "Computer": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } - } - }, - "Correlation": { - "properties": { - "@ActivityID": { - "ignore_above": 1024, - "type": "keyword" + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "EventID": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "thumbprint_sha256": { + "ignore_above": 64, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "cdhash": { + "ignore_above": 1024, + "type": "keyword" + }, + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin_referrer_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "origin_url": { + "ignore_above": 8192, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } } - } - }, - "EventRecordID": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "Execution": { - "properties": { - "@ProcessID": { - "ignore_above": 1024, - "type": "keyword" - }, - "@ThreadID": { - "ignore_above": 1024, - "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "Keywords": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "Level": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } } - } - }, - "Opcode": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "Provider": { - "properties": { - "@Guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "@Name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "Task": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "TimeCreated": { - "properties": { - "@SystemTime": { - "type": "date" - } - } - }, - "Version": { - "properties": { - "#text": { - "ignore_above": 1024, - "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } } } } }, - "type": "object" - }, - "logon": { - "properties": { - "channel": { - "ignore_above": 1024, - "type": "keyword" - }, - "computer_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "event_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "failure": { - "properties": { - "status": { - "ignore_above": 1024, - "type": "keyword" + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } } } - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "keywords": { - "ignore_above": 1024, - "type": "keyword" - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "thread": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 2083, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "volume": { + "properties": { + "bus_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "default_access": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "device_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "dos_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_system_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mount_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "nt_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "product_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "removable": { + "type": "boolean" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "vendor_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "writable": { + "type": "boolean" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "integration": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "protocol": { + "properties": { + "location": { + "ignore_above": 1024, + "type": "keyword" + }, + "queue": { + "type": "byte" + } + } + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "windows": { + "properties": { + "EventData": { + "properties": { + "AuthenticationPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "ElevatedToken": { + "ignore_above": 1024, + "type": "keyword" + }, + "ImpersonationLevel": { + "ignore_above": 1024, + "type": "keyword" + }, + "IpAddress": { + "type": "ip" + }, + "IpPort": { + "type": "long" + }, + "KeyLength": { + "type": "long" + }, + "LmPackageName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonGuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "LogonType": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessId": { + "ignore_above": 1024, + "type": "keyword" + }, + "ProcessName": { + "ignore_above": 1024, + "type": "keyword" + }, + "RestrictedAdminMode": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "SubjectUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLinkedLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetLogonId": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetOutboundDomainName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetOutboundUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserName": { + "ignore_above": 1024, + "type": "keyword" + }, + "TargetUserSid": { + "ignore_above": 1024, + "type": "keyword" + }, + "TransmittedServices": { + "ignore_above": 1024, + "type": "keyword" + }, + "VirtualAccount": { + "ignore_above": 1024, + "type": "keyword" + }, + "WorkstationName": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "System": { + "properties": { + "Channel": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Computer": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Correlation": { + "properties": { + "@ActivityID": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "EventID": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "EventRecordID": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Execution": { + "properties": { + "@ProcessID": { + "ignore_above": 1024, + "type": "keyword" + }, + "@ThreadID": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Keywords": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Level": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Opcode": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Provider": { + "properties": { + "@Guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "@Name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "Task": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "TimeCreated": { + "properties": { + "@SystemTime": { + "type": "date" + } + } + }, + "Version": { + "properties": { + "#text": { + "ignore_above": 1024, + "type": "keyword" } } } }, - "provider_guid": { - "ignore_above": 1024, - "type": "keyword" - }, - "provider_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "record_id": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" + "type": "object" + }, + "logon": { + "properties": { + "channel": { + "ignore_above": 1024, + "type": "keyword" + }, + "computer_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "event_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "failure": { + "properties": { + "status": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "keywords": { + "ignore_above": 1024, + "type": "keyword" + }, + "process": { + "properties": { + "pid": { + "type": "long" + }, + "thread": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "provider_guid": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "record_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } } } } } } } - }, - "order": 1, - "settings": { - "index": { - "auto_expand_replicas": "0-1", - "max_docvalue_fields_search": 200, - "number_of_replicas": "0", - "number_of_shards": "3", - "query.default_field": [ - "agent.host.architecture", - "agent.host.ip", - "agent.id", - "agent.name", - "agent.version", - "wazuh.cluster.name", - "wazuh.cluster.node", - "wazuh.schema.version" - ], - "refresh_interval": "2s" - }, - "mapping.nested_fields.limit": 50, - "mapping.total_fields.limit": 3000, - "plugins.index_state_management.rollover_alias": "wazuh-events-v5-system-activity" } } diff --git a/plugins/setup/src/test/java/com/wazuh/setup/index/IndexStateManagementTests.java b/plugins/setup/src/test/java/com/wazuh/setup/index/IndexStateManagementTests.java index 86023bb6..71ee1d82 100644 --- a/plugins/setup/src/test/java/com/wazuh/setup/index/IndexStateManagementTests.java +++ b/plugins/setup/src/test/java/com/wazuh/setup/index/IndexStateManagementTests.java @@ -29,10 +29,9 @@ import org.opensearch.transport.client.Client; import org.opensearch.transport.client.IndicesAdminClient; import java.io.IOException; -import java.util.HashMap; import java.util.Map; -import com.wazuh.setup.utils.IndexUtils; +import com.wazuh.setup.utils.JsonUtils; import static org.mockito.Mockito.*; @@ -42,7 +41,7 @@ public class IndexStateManagementTests extends OpenSearchTestCase { private IndexStateManagement ismIndex; private Client client; private IndicesAdminClient indicesAdminClient; - private IndexUtils indexUtils; + private JsonUtils jsonUtils; @Override public void setUp() throws Exception { @@ -51,7 +50,7 @@ public class IndexStateManagementTests extends OpenSearchTestCase { this.client = mock(Client.class); AdminClient adminClient = mock(AdminClient.class); this.indicesAdminClient = mock(IndicesAdminClient.class); - this.indexUtils = mock(IndexUtils.class); + this.jsonUtils = mock(JsonUtils.class); // Default settings ClusterService clusterService = mock(ClusterService.class); @@ -62,9 +61,9 @@ public class IndexStateManagementTests extends OpenSearchTestCase { doReturn(this.indicesAdminClient).when(adminClient).indices(); this.ismIndex = - spy(new IndexStateManagement(IndexStateManagement.ISM_INDEX_NAME, "ism-template")); + spy(new IndexStateManagement(IndexStateManagement.ISM_INDEX_NAME, "templates/ism-config")); this.ismIndex.setClient(this.client); - this.ismIndex.setIndexUtils(this.indexUtils); + this.ismIndex.setUtils(this.jsonUtils); this.ismIndex.setClusterService(clusterService); } @@ -75,33 +74,33 @@ public class IndexStateManagementTests extends OpenSearchTestCase { * @throws IOException if an error occurs while reading the policy file */ public void testInitialize_CreatesIndexAndPolicies() throws IOException { - Map template = new HashMap<>(); - template.put("settings", Settings.builder().build()); - template.put("mappings", Map.of()); - + // Mock indexExists to return false so createIndex is called doReturn(false).when(this.ismIndex).indexExists(IndexStateManagement.ISM_INDEX_NAME); - doReturn(template).when(this.indexUtils).fromFile("ism-template.json"); - doReturn(template.get("mappings")).when(this.indexUtils).get(template, "mappings"); + // Mock the CreateIndexResponse CreateIndexResponse createResponse = mock(CreateIndexResponse.class); doReturn(IndexStateManagement.ISM_INDEX_NAME).when(createResponse).index(); - ActionFuture actionFuture = mock(ActionFuture.class); - - doReturn(actionFuture).when(this.indicesAdminClient).create(any(CreateIndexRequest.class)); + ActionFuture createIndexFuture = mock(ActionFuture.class); + doReturn(createResponse).when(createIndexFuture).actionGet(anyLong()); + doReturn(createIndexFuture).when(this.indicesAdminClient).create(any(CreateIndexRequest.class)); + // Mock the policy file loading Map policyFile = Map.of("policy", "definition"); doReturn(policyFile) - .when(this.indexUtils) + .when(this.jsonUtils) .fromFile(IndexStateManagement.STREAM_ROLLOVER_POLICY_PATH); - doReturn(actionFuture).when(this.client).index(any(IndexRequest.class)); - - doReturn(createResponse).when(actionFuture).actionGet(anyLong()); + // Mock the policy indexing + ActionFuture indexFuture = mock(ActionFuture.class); + doReturn(indexFuture).when(this.client).index(any(IndexRequest.class)); + doReturn(null).when(indexFuture).actionGet(anyLong()); this.ismIndex.initialize(); + // Verify that the index was created with the correct request verify(this.indicesAdminClient).create(any(CreateIndexRequest.class)); + // Verify that the policy was indexed verify(this.client).index(any(IndexRequest.class)); } @@ -128,7 +127,7 @@ public class IndexStateManagementTests extends OpenSearchTestCase { public void testPolicyFileMissing_LogsError() throws IOException { doReturn(true).when(this.ismIndex).indexExists(IndexStateManagement.ISM_INDEX_NAME); doThrow(new IOException("file not found")) - .when(indexUtils) + .when(jsonUtils) .fromFile(IndexStateManagement.STREAM_ROLLOVER_POLICY_PATH); this.ismIndex.initialize(); @@ -147,9 +146,7 @@ public class IndexStateManagementTests extends OpenSearchTestCase { doReturn(true).when(this.ismIndex).indexExists(IndexStateManagement.ISM_INDEX_NAME); Map policyFile = Map.of("policy", "definition"); - doReturn(policyFile) - .when(indexUtils) - .fromFile(IndexStateManagement.STREAM_ROLLOVER_POLICY_PATH); + doReturn(policyFile).when(jsonUtils).fromFile(IndexStateManagement.STREAM_ROLLOVER_POLICY_PATH); doThrow(new ResourceAlreadyExistsException("already exists")) .when(this.client) .index(any(IndexRequest.class)); @@ -158,4 +155,14 @@ public class IndexStateManagementTests extends OpenSearchTestCase { // Verifies that exception is caught and logged } + + /** + * Verifies that IOException while reading a file is caught and logged. + * + * @throws IOException if there is an error reading the file + */ + public void testFileIOException() throws IOException { + doThrow(new IOException("Test failed successfully")).when(this.jsonUtils).fromFile(anyString()); + this.ismIndex.indexPolicy("test-template"); + } } diff --git a/plugins/setup/src/test/java/com/wazuh/setup/index/IndexTests.java b/plugins/setup/src/test/java/com/wazuh/setup/index/IndexTests.java index 3d3b1570..069c7fac 100644 --- a/plugins/setup/src/test/java/com/wazuh/setup/index/IndexTests.java +++ b/plugins/setup/src/test/java/com/wazuh/setup/index/IndexTests.java @@ -18,7 +18,6 @@ package com.wazuh.setup.index; import org.opensearch.action.admin.indices.create.CreateIndexRequest; import org.opensearch.action.admin.indices.create.CreateIndexResponse; -import org.opensearch.action.admin.indices.template.put.PutIndexTemplateRequest; import org.opensearch.action.support.clustermanager.AcknowledgedResponse; import org.opensearch.cluster.ClusterState; import org.opensearch.cluster.routing.RoutingTable; @@ -30,11 +29,7 @@ import org.opensearch.transport.client.AdminClient; import org.opensearch.transport.client.Client; import org.opensearch.transport.client.IndicesAdminClient; -import java.io.IOException; -import java.util.List; -import java.util.Map; - -import com.wazuh.setup.utils.IndexUtils; +import com.wazuh.setup.utils.JsonUtils; import static org.mockito.Mockito.*; @@ -42,21 +37,22 @@ import static org.mockito.Mockito.*; public class IndexTests extends OpenSearchTestCase { private Index index; + private Client client; private IndicesAdminClient indicesAdminClient; private RoutingTable routingTable; - private IndexUtils indexUtils; + private JsonUtils jsonUtils; @Override public void setUp() throws Exception { super.setUp(); - Client client = mock(Client.class); + this.client = mock(Client.class); AdminClient adminClient = mock(AdminClient.class); this.indicesAdminClient = mock(IndicesAdminClient.class); ClusterService clusterService = mock(ClusterService.class); this.routingTable = mock(RoutingTable.class); ClusterState clusterState = mock(ClusterState.class); - this.indexUtils = mock(IndexUtils.class); + this.jsonUtils = mock(JsonUtils.class); // Default settings Settings settings = Settings.builder().build(); @@ -64,11 +60,11 @@ public class IndexTests extends OpenSearchTestCase { // Concrete implementation of abstract class this.index = new Index("test-index", "test-template") {}; - this.index.setClient(client); + this.index.setClient(this.client); this.index.setClusterService(clusterService); - this.index.setIndexUtils(indexUtils); + this.index.setUtils(jsonUtils); - doReturn(adminClient).when(client).admin(); + doReturn(adminClient).when(this.client).admin(); doReturn(this.indicesAdminClient).when(adminClient).indices(); doReturn(clusterState).when(clusterService).state(); doReturn(this.routingTable).when(clusterState).getRoutingTable(); @@ -98,43 +94,21 @@ public class IndexTests extends OpenSearchTestCase { verify(this.indicesAdminClient, never()).create(any()); } - /** - * Verifies that template creation is successful when valid data is returned from file. - * - * @throws IOException if there is an error reading the template file - */ - public void testCreateTemplateSuccess() throws IOException { - Map templateMap = - Map.of( - "settings", Settings.builder().build(), - "mappings", Map.of(), - "index_patterns", List.of("test-*")); - - doReturn(templateMap).when(this.indexUtils).fromFile("test-template.json"); - doReturn(templateMap.get("mappings")).when(this.indexUtils).get(templateMap, "mappings"); - + /** Verifies that template creation is successful when valid data is returned from file. */ + public void testCreateTemplateSuccess() { + // Mock the response for client.execute() AcknowledgedResponse ackResponse = mock(AcknowledgedResponse.class); ActionFuture actionFuture = mock(ActionFuture.class); doReturn(ackResponse).when(actionFuture).actionGet(anyLong()); - doReturn(actionFuture) - .when(this.indicesAdminClient) - .putTemplate(any(PutIndexTemplateRequest.class)); - this.index.createTemplate("test-template"); - verify(this.indicesAdminClient).putTemplate(any(PutIndexTemplateRequest.class)); - } + // Mock client.execute() which is what createTemplate actually uses + doReturn(actionFuture).when(this.client).execute(any(), any()); - /** - * Verifies that IOException while reading template file is caught and logged. - * - * @throws IOException if there is an error reading the template file - */ - public void testCreateTemplateIOException() throws IOException { - doThrow(new IOException("test")).when(this.indexUtils).fromFile("test-template.json"); + // Call createTemplate with a real template file that exists + this.index.createTemplate("templates/ism-config"); - this.index.createTemplate("test-template"); - - // Expect error to be logged but not thrown + // Verify that client.execute was called + verify(this.client).execute(any(), any()); } /** Verifies that initialize() invokes both createTemplate and createIndex in order. */ diff --git a/plugins/setup/src/test/java/com/wazuh/setup/index/StreamIndexTests.java b/plugins/setup/src/test/java/com/wazuh/setup/index/StreamIndexTests.java index c1b811c7..0243cc01 100644 --- a/plugins/setup/src/test/java/com/wazuh/setup/index/StreamIndexTests.java +++ b/plugins/setup/src/test/java/com/wazuh/setup/index/StreamIndexTests.java @@ -16,9 +16,7 @@ */ package com.wazuh.setup.index; -import org.opensearch.action.admin.indices.alias.Alias; -import org.opensearch.action.admin.indices.create.CreateIndexRequest; -import org.opensearch.action.admin.indices.create.CreateIndexResponse; +import org.opensearch.action.support.clustermanager.AcknowledgedResponse; import org.opensearch.cluster.ClusterState; import org.opensearch.cluster.routing.RoutingTable; import org.opensearch.cluster.service.ClusterService; @@ -29,7 +27,7 @@ import org.opensearch.transport.client.AdminClient; import org.opensearch.transport.client.Client; import org.opensearch.transport.client.IndicesAdminClient; -import com.wazuh.setup.utils.IndexUtils; +import com.wazuh.setup.utils.JsonUtils; import static org.mockito.ArgumentMatchers.any; import static org.mockito.Mockito.*; @@ -37,9 +35,9 @@ import static org.mockito.Mockito.*; /** Unit tests for the {@link StreamIndex} class. */ public class StreamIndexTests extends OpenSearchTestCase { + private static final String STREAM_INDEX = "stream-index"; private StreamIndex streamIndex; private IndicesAdminClient indicesAdminClient; - private RoutingTable routingTable; @Override public void setUp() throws Exception { @@ -49,57 +47,56 @@ public class StreamIndexTests extends OpenSearchTestCase { AdminClient adminClient = mock(AdminClient.class); this.indicesAdminClient = mock(IndicesAdminClient.class); ClusterService clusterService = mock(ClusterService.class); - this.routingTable = mock(RoutingTable.class); + RoutingTable routingTable = mock(RoutingTable.class); ClusterState clusterState = mock(ClusterState.class); // Default settings Settings settings = Settings.builder().build(); doReturn(settings).when(clusterService).getSettings(); - this.streamIndex = new StreamIndex("stream-index", "stream-template", "stream-alias"); + this.streamIndex = new StreamIndex(STREAM_INDEX, "stream-template"); this.streamIndex.setClient(client); this.streamIndex.setClusterService(clusterService); - this.streamIndex.setIndexUtils(mock(IndexUtils.class)); + this.streamIndex.setUtils(mock(JsonUtils.class)); doReturn(adminClient).when(client).admin(); doReturn(this.indicesAdminClient).when(adminClient).indices(); doReturn(clusterState).when(clusterService).state(); - doReturn(this.routingTable).when(clusterState).getRoutingTable(); + doReturn(routingTable).when(clusterState).getRoutingTable(); } /** - * Verifies that createIndex adds the alias and calls the create method when the index does not - * exist. + * Verifies that createIndex handles ResourceAlreadyExistsException gracefully when the data + * stream already exists. */ - public void testCreateIndexWithAlias() { - doReturn(false).when(this.routingTable).hasIndex("stream-index"); + public void testCreateIndexWhenAlreadyExists() { + // Mock createDataStream to throw ResourceAlreadyExistsException + ActionFuture actionFuture = mock(ActionFuture.class); + doThrow(new org.opensearch.ResourceAlreadyExistsException("Data stream already exists")) + .when(actionFuture) + .actionGet(anyLong()); + doReturn(actionFuture).when(this.indicesAdminClient).createDataStream(any()); + + // Should not throw exception - it should be caught and logged + this.streamIndex.createIndex(STREAM_INDEX); + + // Verify createDataStream was called once + verify(this.indicesAdminClient).createDataStream(any()); + } + + /** Verifies that createIndex successfully creates a data stream when it doesn't exist. */ + public void testCreateIndexSuccess() { + // Mock successful data stream creation + AcknowledgedResponse response = mock(AcknowledgedResponse.class); + // doReturn(true).when(response).isAcknowledged(); - CreateIndexResponse response = mock(CreateIndexResponse.class); - doReturn("stream-index").when(response).index(); ActionFuture actionFuture = mock(ActionFuture.class); doReturn(response).when(actionFuture).actionGet(anyLong()); - doReturn(actionFuture).when(this.indicesAdminClient).create(any(CreateIndexRequest.class)); + doReturn(actionFuture).when(this.indicesAdminClient).createDataStream(any()); - this.streamIndex.createIndex("stream-index"); + this.streamIndex.createIndex(STREAM_INDEX); - verify(this.indicesAdminClient) - .create( - argThat( - req -> { - Alias alias = req.aliases().stream().findFirst().orElse(null); - return req.index().equals("stream-index") - && alias != null - && "stream-alias".equals(alias.name()) - && Boolean.TRUE.equals(alias.writeIndex()); - })); - } - - /** Verifies that createIndex skips index creation if the index already exists. */ - public void testCreateIndexWhenAlreadyExists() { - doReturn(true).when(this.routingTable).hasIndex("stream-index"); - - this.streamIndex.createIndex("stream-index"); - - verify(this.indicesAdminClient, never()).create(any()); + // Verify createDataStream was called + verify(this.indicesAdminClient).createDataStream(any()); } }