From c26e75f50511ea85dc923635642a5ccc022157d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz=20Becerra?= Date: Tue, 19 Aug 2025 09:59:27 +0200 Subject: [PATCH] Add index definition for stateless indices (#554) * Add index definition for stateless indices Backported from 6.0.0 * Add module to the the automation list Extend event generator with SCA stuff * Force automation run * Revert * Update ECS templates for modified modules: stateless * Add back ISM settings and automate the creation of the index template for the wazuh-archives indices * Update ECS templates for modified modules: stateless * Update script * Trigger automation * Update ECS templates for modified modules: stateless * Fix output path for the generated archives template * Update ECS templates for modified modules: stateless * Increase mappings limit * Add trailing new lines --------- Co-authored-by: Wazuh Indexer Bot --- CHANGELOG.md | 1 + ecs/generator/images/generator.sh | 32 +- ecs/scripts/generate-and-push-templates.sh | 9 + ecs/stateless/docs/README.md | 13 + ecs/stateless/docs/fields.csv | 1870 +++ .../event-generator/event_generator.py | 164 + ecs/stateless/fields/custom/agent.yml | 15 + ecs/stateless/fields/custom/check.yml | 99 + ecs/stateless/fields/custom/event.yml | 21 + ecs/stateless/fields/custom/host.yml | 97 + ecs/stateless/fields/custom/interface.yml | 30 + ecs/stateless/fields/custom/network.yml | 38 + ecs/stateless/fields/custom/os.yml | 6 + ecs/stateless/fields/custom/policy.yml | 40 + ecs/stateless/fields/custom/risk.yml | 6 + ecs/stateless/fields/custom/vulnerability.yml | 15 + ecs/stateless/fields/custom/wazuh.yml | 38 + ecs/stateless/fields/mapping-settings.json | 4 + ecs/stateless/fields/subset.yml | 602 + .../fields/template-settings-legacy.json | 24 + ecs/stateless/fields/template-settings.json | 26 + .../main/resources/index-template-alerts.json | 10806 +++++++++++---- .../resources/index-template-archives.json | 11126 ++++++++++++---- 23 files changed, 19652 insertions(+), 5430 deletions(-) create mode 100644 ecs/stateless/docs/README.md create mode 100644 ecs/stateless/docs/fields.csv create mode 100644 ecs/stateless/event-generator/event_generator.py create mode 100644 ecs/stateless/fields/custom/agent.yml create mode 100644 ecs/stateless/fields/custom/check.yml create mode 100644 ecs/stateless/fields/custom/event.yml create mode 100644 ecs/stateless/fields/custom/host.yml create mode 100644 ecs/stateless/fields/custom/interface.yml create mode 100644 ecs/stateless/fields/custom/network.yml create mode 100644 ecs/stateless/fields/custom/os.yml create mode 100644 ecs/stateless/fields/custom/policy.yml create mode 100644 ecs/stateless/fields/custom/risk.yml create mode 100644 ecs/stateless/fields/custom/vulnerability.yml create mode 100644 ecs/stateless/fields/custom/wazuh.yml create mode 100644 ecs/stateless/fields/mapping-settings.json create mode 100644 ecs/stateless/fields/subset.yml create mode 100644 ecs/stateless/fields/template-settings-legacy.json create mode 100644 ecs/stateless/fields/template-settings.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 721c74d6..f9d11cdb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Add documentation for default users and roles (RBAC) [(#535)](https://github.com/wazuh/wazuh-indexer-plugins/pull/535) - Implement retry mechanism to the initialization plugin [(#541)](https://github.com/wazuh/wazuh-indexer-plugins/pull/541) - Add documentation for reporting plugin [(#544)](https://github.com/wazuh/wazuh-indexer-plugins/pull/544) +- Add index definition for stateless indices [(#554)](https://github.com/wazuh/wazuh-indexer-plugins/pull/554) ### Dependencies - diff --git a/ecs/generator/images/generator.sh b/ecs/generator/images/generator.sh index 2af0e21e..27c7fdcf 100755 --- a/ecs/generator/images/generator.sh +++ b/ecs/generator/images/generator.sh @@ -80,24 +80,32 @@ generate_mappings() { local out_file="$out_dir/generated/elasticsearch/legacy/template-tmp.json" local csv_file="$out_dir/generated/csv/fields.csv" - # Delete the "tags" field from the index template - echo "Deleting the \"tags\" field from the index template" - jq 'del(.mappings.properties.tags)' "$in_file" > "$out_file" - mv "$out_file" "$in_file" - # Remove multi-fields from the generated index template echo "Removing multi-fields from the index template" remove_multi_fields "$in_file" "$out_file" mv "$out_file" "$in_file" - # Delete the "@timestamp" field from the index template - echo "Deleting the \"@timestamp\" field from the index template" - jq 'del(.mappings.properties."@timestamp")' "$in_file" > "$out_file" - mv "$out_file" "$in_file" + if [ "$ECS_MODULE" != "stateless" ]; then + # Delete the "tags" field from the index template + echo "Deleting the \"tags\" field from the index template" + jq 'del(.mappings.properties.tags)' "$in_file" > "$out_file" + mv "$out_file" "$in_file" - # Delete the "@timestamp" and "tags" fields from the csv file - echo "Deleting the \"@timestamp\" and \"tags\" fields from the CSV file" - sed -i '/@timestamp/d; /tags/d' "$csv_file" + # Delete the "@timestamp" field from the index template + echo "Deleting the \"@timestamp\" field from the index template" + jq 'del(.mappings.properties."@timestamp")' "$in_file" > "$out_file" + mv "$out_file" "$in_file" + + # Delete the "@timestamp" field from the csv file + echo "Deleting the \"@timestamp\" and \"tags\" fields from the CSV file" + sed -i '/@timestamp/d; /tags/d' "$csv_file" + else + # Generate the template for `wazuh-archives` + echo "Generating template for 'wazuh-archives'" + archives_file="$out_dir/generated/elasticsearch/legacy/template-archives.json" + cp "$in_file" "$archives_file" + sed -i 's/wazuh-alerts/wazuh-archives/g' "$archives_file" + fi # Transform legacy index template for OpenSearch compatibility jq '{ diff --git a/ecs/scripts/generate-and-push-templates.sh b/ecs/scripts/generate-and-push-templates.sh index a7ca6465..c6ed8d56 100644 --- a/ecs/scripts/generate-and-push-templates.sh +++ b/ecs/scripts/generate-and-push-templates.sh @@ -69,6 +69,7 @@ detect_modified_modules() { # Mapping section module_to_file=( + [stateless]="index-template-alerts.json" [states-fim-files]="index-template-fim-files.json" [states-fim-registry-keys]="index-template-fim-registry-keys.json" [states-fim-registry-values]="index-template-fim-registry-values.json" @@ -166,6 +167,14 @@ commit_and_push_changes() { mkdir -p "$documentation_dir" echo " - Copy the updated csv definitions for module '$ecs_module' to '$documentation_dir'" cp "$CURRENT_PATH/ecs/$ecs_module/$CSV_SUBPATH" "$documentation_dir" + + # Generate archives index template from the alerts one + if [ "$ecs_module" == "stateless" ]; then + target_file="$TEMPLATES_PATH/index-template-archives.json" + echo " - Generate template for module '$ecs_module/archives' to '$target_file'" + cp "$CURRENT_PATH/ecs/$ecs_module/$MAPPINGS_SUBPATH" "$target_file" + sed -i 's/wazuh-alerts/wazuh-archives/g' "$target_file" + fi done git status --short diff --git a/ecs/stateless/docs/README.md b/ecs/stateless/docs/README.md new file mode 100644 index 00000000..bed6e06e --- /dev/null +++ b/ecs/stateless/docs/README.md @@ -0,0 +1,13 @@ +## `wazuh-alerts-5.x` time series index + +The `wazuh-alerts-*` indices store events received from monitored endpoints that trigger alerts when they match a detection rule. + +This is a time-based (stateless) index. The `wazuh-archives-5.x` index uses the same mappings and settings. The template is generated programatically off the `wazuh-alerts-5.x` index. + +### Fields summary + +For this stage, we are using all the fields of the ECS. Dynamic mode is temporarily set to `false` to avoid the creation of new fields while allowing the indexing of events containing fields not in the schema. These fields can be retrieved from the original event (`_source`). + +- [ECS main mappings](https://github.com/elastic/ecs/blob/v8.11.0/schemas/subsets/main.yml) + +The detail of the fields can be found in csv file [Stateless Fields](fields.csv). \ No newline at end of file diff --git a/ecs/stateless/docs/fields.csv b/ecs/stateless/docs/fields.csv new file mode 100644 index 00000000..dbb6c05a --- /dev/null +++ b/ecs/stateless/docs/fields.csv @@ -0,0 +1,1870 @@ +ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description +8.11.0,true,base,@timestamp,date,core,,2016-05-23T08:05:34.853Z,Date/time when the event originated. +8.11.0,true,base,labels,object,core,,"{""application"": ""foo-bar"", ""env"": ""production""}",Custom key/value pairs. +8.11.0,true,base,message,keyword,core,,Hello World,Log message optimized for viewing in a log viewer. +8.11.0,true,base,tags,keyword,core,array,"[""production"", ""env2""]",List of keywords used to tag each event. +8.11.0,true,agent,agent.build.original,keyword,core,,"metricbeat version 7.6.0 (amd64), libbeat 7.6.0 [6a23e8f8f30f5001ba344e4e54d8d9cb82cb107c built 2020-02-05 23:10:10 +0000 UTC]",Extended build information for the agent. +8.11.0,true,agent,agent.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this agent. +8.11.0,true,agent,agent.groups,keyword,custom,array,"[""group1"", ""group2""]",List of groups the agent belongs to. +8.11.0,true,agent,agent.host.architecture,keyword,core,,x86_64,Operating system architecture. +8.11.0,true,agent,agent.host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +8.11.0,true,agent,agent.host.cpu,object,custom,,"""name"": ""Intel(R) Core(TM) i7-7700HQ CPU"", ""cores"": 4, ""speed"": 2800",CPU-related data. +8.11.0,true,agent,agent.host.cpu.cores,long,custom,,4,Number of CPU cores. +8.11.0,true,agent,agent.host.cpu.name,keyword,custom,,Intel(R) Core(TM) i7-7700HQ CPU,CPU Model name. +8.11.0,true,agent,agent.host.cpu.speed,long,custom,,2800,CPU clock speed. +8.11.0,true,agent,agent.host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +8.11.0,true,agent,agent.host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +8.11.0,true,agent,agent.host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +8.11.0,true,agent,agent.host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +8.11.0,true,agent,agent.host.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,agent,agent.host.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,agent,agent.host.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,agent,agent.host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,agent,agent.host.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,agent,agent.host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,agent,agent.host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,agent,agent.host.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,agent,agent.host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,agent,agent.host.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,agent,agent.host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,agent,agent.host.hostname,keyword,core,,,Hostname of the host. +8.11.0,true,agent,agent.host.id,keyword,core,,,Unique host id. +8.11.0,true,agent,agent.host.ip,ip,core,array,,Host ip addresses. +8.11.0,true,agent,agent.host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +8.11.0,true,agent,agent.host.memory,object,custom,,"""total"": 100000, ""free"": 90000, ""used"": {""percentage"": 10}",Memory-related data. +8.11.0,true,agent,agent.host.memory.free,long,custom,,1024,Free memory in MB. +8.11.0,true,agent,agent.host.memory.total,long,custom,,1024,Total memory in MB. +8.11.0,true,agent,agent.host.memory.used,object,custom,,"""percentage"": 10",Used memory-related data. +8.11.0,true,agent,agent.host.memory.used.percentage,long,custom,,10,Used memory percentage. +8.11.0,true,agent,agent.host.name,keyword,core,,,Name of the host. +8.11.0,true,agent,agent.host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +8.11.0,true,agent,agent.host.network.egress.drops,long,custom,,10,Number of dropped transmitted packets. +8.11.0,true,agent,agent.host.network.egress.errors,long,custom,,10,Number of transmission errors. +8.11.0,true,agent,agent.host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +8.11.0,true,agent,agent.host.network.egress.queue,long,custom,,10,Transmit queue length. +8.11.0,true,agent,agent.host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +8.11.0,true,agent,agent.host.network.ingress.drops,long,custom,,10,Number of dropped received packets. +8.11.0,true,agent,agent.host.network.ingress.errors,long,custom,,10,Number of reception errors. +8.11.0,true,agent,agent.host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +8.11.0,true,agent,agent.host.network.ingress.queue,long,custom,,10,Receive queue length. +8.11.0,true,agent,agent.host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +8.11.0,true,agent,agent.host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,agent,agent.host.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,agent,agent.host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +8.11.0,true,agent,agent.host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,agent,agent.host.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,agent,agent.host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +8.11.0,true,agent,agent.host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +8.11.0,true,agent,agent.host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +8.11.0,true,agent,agent.host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +8.11.0,true,agent,agent.host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +8.11.0,true,agent,agent.host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +8.11.0,true,agent,agent.host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +8.11.0,true,agent,agent.host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +8.11.0,true,agent,agent.host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +8.11.0,true,agent,agent.host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +8.11.0,true,agent,agent.host.type,keyword,core,,,Type of host. +8.11.0,true,agent,agent.host.uptime,long,extended,,1325,Seconds the host has been up. +8.11.0,true,agent,agent.id,keyword,core,,8a4f500d,Unique identifier of this agent. +8.11.0,true,agent,agent.name,keyword,core,,foo,Custom name of the agent. +8.11.0,true,agent,agent.type,keyword,core,,filebeat,Type of the agent. +8.11.0,true,agent,agent.version,keyword,core,,6.0.0-rc2,Version of the agent. +8.11.0,true,check,check.compliance,keyword,custom,array,"[""cis:1.1.1"",""cis_csc:5.2""]",CIS compliance standard. +8.11.0,true,check,check.condition,keyword,custom,,all,Relationship between the rules. +8.11.0,true,check,check.description,keyword,custom,,"""The password history setting determines the number of unique new passwords a user must use before an old password can be reused.""",Extended description of the check. +8.11.0,true,check,check.id,keyword,custom,,26000,The ID of the SCA policy check. +8.11.0,true,check,check.name,keyword,custom,,Ensure 'Enforce password history' is set to '24 or more password(s)'.,The name of the SCA policy check. +8.11.0,true,check,check.rationale,keyword,custom,,"""The longer a user uses the same password, the more likely it is that the password will be compromised.""",The reason for the check. Why it is important. +8.11.0,true,check,check.reason,keyword,custom,,"""The password history setting is not set to 24 or more password(s).""",Reason for the check result. +8.11.0,true,check,check.references,keyword,custom,array,"[""https://workbench.cisecurity.org""]",References for the check. +8.11.0,true,check,check.remediation,keyword,custom,,"""To establish the recommended configuration, set the following registry value to 24 or more password(s):""",Actions to take to remediate the check. +8.11.0,true,check,check.result,keyword,custom,,failed,Result of the check. +8.11.0,true,check,check.rules,keyword,custom,array,"""[\""c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"","" > ""\""c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\""]""",Rules to be evaluated. +8.11.0,true,client,client.address,keyword,extended,,,Client network address. +8.11.0,true,client,client.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.11.0,true,client,client.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.11.0,true,client,client.as.organization.name.text,keyword,extended,,Google LLC,Organization name. +8.11.0,true,client,client.bytes,long,core,,184,Bytes sent from the client to the server. +8.11.0,true,client,client.domain,keyword,core,,foo.example.com,The domain name of the client. +8.11.0,true,client,client.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,client,client.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,client,client.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,client,client.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,client,client.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,client,client.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,client,client.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,client,client.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,client,client.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,client,client.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,client,client.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,client,client.ip,ip,core,,,IP address of the client. +8.11.0,true,client,client.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the client. +8.11.0,true,client,client.nat.ip,ip,extended,,,Client NAT ip address +8.11.0,true,client,client.nat.port,long,extended,,,Client NAT port +8.11.0,true,client,client.packets,long,core,,12,Packets sent from the client to the server. +8.11.0,true,client,client.port,long,core,,,Port of the client. +8.11.0,true,client,client.registered_domain,keyword,extended,,example.com,"The highest registered client domain, stripped of the subdomain." +8.11.0,true,client,client.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,client,client.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,client,client.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,client,client.user.email,keyword,extended,,,User email address. +8.11.0,true,client,client.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,client,client.user.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,client,client.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,client,client.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,client,client.user.group.name,keyword,extended,,,Name of the group. +8.11.0,true,client,client.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,client,client.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,client,client.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,client,client.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,client,client.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,cloud,cloud.account.id,keyword,extended,,666777888999,The cloud account or organization id. +8.11.0,true,cloud,cloud.account.name,keyword,extended,,elastic-dev,The cloud account name. +8.11.0,true,cloud,cloud.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +8.11.0,true,cloud,cloud.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +8.11.0,true,cloud,cloud.instance.name,keyword,extended,,,Instance name of the host machine. +8.11.0,true,cloud,cloud.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +8.11.0,true,cloud,cloud.origin.account.id,keyword,extended,,666777888999,The cloud account or organization id. +8.11.0,true,cloud,cloud.origin.account.name,keyword,extended,,elastic-dev,The cloud account name. +8.11.0,true,cloud,cloud.origin.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +8.11.0,true,cloud,cloud.origin.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +8.11.0,true,cloud,cloud.origin.instance.name,keyword,extended,,,Instance name of the host machine. +8.11.0,true,cloud,cloud.origin.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +8.11.0,true,cloud,cloud.origin.project.id,keyword,extended,,my-project,The cloud project id. +8.11.0,true,cloud,cloud.origin.project.name,keyword,extended,,my project,The cloud project name. +8.11.0,true,cloud,cloud.origin.provider,keyword,extended,,aws,Name of the cloud provider. +8.11.0,true,cloud,cloud.origin.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +8.11.0,true,cloud,cloud.origin.service.name,keyword,extended,,lambda,The cloud service name. +8.11.0,true,cloud,cloud.project.id,keyword,extended,,my-project,The cloud project id. +8.11.0,true,cloud,cloud.project.name,keyword,extended,,my project,The cloud project name. +8.11.0,true,cloud,cloud.provider,keyword,extended,,aws,Name of the cloud provider. +8.11.0,true,cloud,cloud.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +8.11.0,true,cloud,cloud.service.name,keyword,extended,,lambda,The cloud service name. +8.11.0,true,cloud,cloud.target.account.id,keyword,extended,,666777888999,The cloud account or organization id. +8.11.0,true,cloud,cloud.target.account.name,keyword,extended,,elastic-dev,The cloud account name. +8.11.0,true,cloud,cloud.target.availability_zone,keyword,extended,,us-east-1c,"Availability zone in which this host, resource, or service is located." +8.11.0,true,cloud,cloud.target.instance.id,keyword,extended,,i-1234567890abcdef0,Instance ID of the host machine. +8.11.0,true,cloud,cloud.target.instance.name,keyword,extended,,,Instance name of the host machine. +8.11.0,true,cloud,cloud.target.machine.type,keyword,extended,,t2.medium,Machine type of the host machine. +8.11.0,true,cloud,cloud.target.project.id,keyword,extended,,my-project,The cloud project id. +8.11.0,true,cloud,cloud.target.project.name,keyword,extended,,my project,The cloud project name. +8.11.0,true,cloud,cloud.target.provider,keyword,extended,,aws,Name of the cloud provider. +8.11.0,true,cloud,cloud.target.region,keyword,extended,,us-east-1,"Region in which this host, resource, or service is located." +8.11.0,true,cloud,cloud.target.service.name,keyword,extended,,lambda,The cloud service name. +8.11.0,true,container,container.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +8.11.0,true,container,container.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +8.11.0,true,container,container.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +8.11.0,true,container,container.id,keyword,core,,,Unique container id. +8.11.0,true,container,container.image.hash.all,keyword,extended,array,[sha256:f8fefc80e3273dc756f288a63945820d6476ad64883892c771b5e2ece6bf1b26],An array of digests of the image the container was built on. +8.11.0,true,container,container.image.name,keyword,extended,,,Name of the image the container was built on. +8.11.0,true,container,container.image.tag,keyword,extended,array,,Container image tags. +8.11.0,true,container,container.labels,object,extended,,,Image labels. +8.11.0,true,container,container.memory.usage,scaled_float,extended,,,"Percent memory used, between 0 and 1." +8.11.0,true,container,container.name,keyword,extended,,,Container name. +8.11.0,true,container,container.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +8.11.0,true,container,container.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +8.11.0,true,container,container.runtime,keyword,extended,,docker,Runtime managing this container. +8.11.0,true,container,container.security_context.privileged,boolean,extended,,,Indicates whether the container is running in privileged mode. +8.11.0,true,data_stream,data_stream.dataset,keyword,extended,,nginx.access,The field can contain anything that makes sense to signify the source of the data. +8.11.0,true,data_stream,data_stream.namespace,keyword,extended,,production,A user defined namespace. Namespaces are useful to allow grouping of data. +8.11.0,true,data_stream,data_stream.type,keyword,extended,,logs,An overarching type for the data stream. +8.11.0,true,destination,destination.address,keyword,extended,,,Destination network address. +8.11.0,true,destination,destination.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.11.0,true,destination,destination.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.11.0,true,destination,destination.as.organization.name.text,keyword,extended,,Google LLC,Organization name. +8.11.0,true,destination,destination.bytes,long,core,,184,Bytes sent from the destination to the source. +8.11.0,true,destination,destination.domain,keyword,core,,foo.example.com,The domain name of the destination. +8.11.0,true,destination,destination.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,destination,destination.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,destination,destination.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,destination,destination.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,destination,destination.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,destination,destination.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,destination,destination.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,destination,destination.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,destination,destination.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,destination,destination.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,destination,destination.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,destination,destination.ip,ip,core,,,IP address of the destination. +8.11.0,true,destination,destination.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the destination. +8.11.0,true,destination,destination.nat.ip,ip,extended,,,Destination NAT ip +8.11.0,true,destination,destination.nat.port,long,extended,,,Destination NAT Port +8.11.0,true,destination,destination.packets,long,core,,12,Packets sent from the destination to the source. +8.11.0,true,destination,destination.port,long,core,,,Port of the destination. +8.11.0,true,destination,destination.registered_domain,keyword,extended,,example.com,"The highest registered destination domain, stripped of the subdomain." +8.11.0,true,destination,destination.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,destination,destination.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,destination,destination.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,destination,destination.user.email,keyword,extended,,,User email address. +8.11.0,true,destination,destination.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,destination,destination.user.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,destination,destination.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,destination,destination.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,destination,destination.user.group.name,keyword,extended,,,Name of the group. +8.11.0,true,destination,destination.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,destination,destination.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,destination,destination.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,destination,destination.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,destination,destination.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,device,device.id,keyword,extended,,00000000-54b3-e7c7-0000-000046bffd97,The unique identifier of a device. +8.11.0,true,device,device.manufacturer,keyword,extended,,Samsung,The vendor name of the device manufacturer. +8.11.0,true,device,device.model.identifier,keyword,extended,,SM-G920F,The machine readable identifier of the device model. +8.11.0,true,device,device.model.name,keyword,extended,,Samsung Galaxy S6,The human readable marketing name of the device model. +8.11.0,true,dll,dll.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +8.11.0,true,dll,dll.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.11.0,true,dll,dll.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +8.11.0,true,dll,dll.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +8.11.0,true,dll,dll.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +8.11.0,true,dll,dll.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +8.11.0,true,dll,dll.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +8.11.0,true,dll,dll.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +8.11.0,true,dll,dll.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.11.0,true,dll,dll.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,dll,dll.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,dll,dll.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,dll,dll.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,dll,dll.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,dll,dll.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,dll,dll.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,dll,dll.name,keyword,core,,kernel32.dll,Name of the library. +8.11.0,true,dll,dll.path,keyword,extended,,C:\Windows\System32\kernel32.dll,Full file path of the library. +8.11.0,true,dll,dll.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +8.11.0,true,dll,dll.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +8.11.0,true,dll,dll.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +8.11.0,true,dll,dll.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +8.11.0,true,dll,dll.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +8.11.0,true,dll,dll.pe.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,dll,dll.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,dll,dll.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,dll,dll.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,dll,dll.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +8.11.0,true,dll,dll.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +8.11.0,true,dll,dll.pe.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,dll,dll.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,dll,dll.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,dll,dll.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +8.11.0,true,dll,dll.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +8.11.0,true,dll,dll.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +8.11.0,true,dll,dll.pe.sections,nested,extended,array,,Section information of the PE file. +8.11.0,true,dll,dll.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,dll,dll.pe.sections.name,keyword,extended,,,PE Section List name. +8.11.0,true,dll,dll.pe.sections.physical_size,long,extended,,,PE Section List physical size. +8.11.0,true,dll,dll.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,dll,dll.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,dns,dns.answers,object,extended,array,,Array of DNS answers. +8.11.0,true,dns,dns.answers.class,keyword,extended,,IN,The class of DNS data contained in this resource record. +8.11.0,true,dns,dns.answers.data,keyword,extended,,10.10.10.10,The data describing the resource. +8.11.0,true,dns,dns.answers.name,keyword,extended,,www.example.com,The domain name to which this resource record pertains. +8.11.0,true,dns,dns.answers.ttl,long,extended,,180,The time interval in seconds that this resource record may be cached before it should be discarded. +8.11.0,true,dns,dns.answers.type,keyword,extended,,CNAME,The type of data contained in this resource record. +8.11.0,true,dns,dns.header_flags,keyword,extended,array,"[""RD"", ""RA""]",Array of DNS header flags. +8.11.0,true,dns,dns.id,keyword,extended,,62111,The DNS packet identifier assigned by the program that generated the query. The identifier is copied to the response. +8.11.0,true,dns,dns.op_code,keyword,extended,,QUERY,The DNS operation code that specifies the kind of query in the message. +8.11.0,true,dns,dns.question.class,keyword,extended,,IN,The class of records being queried. +8.11.0,true,dns,dns.question.name,keyword,extended,,www.example.com,The name being queried. +8.11.0,true,dns,dns.question.registered_domain,keyword,extended,,example.com,"The highest registered domain, stripped of the subdomain." +8.11.0,true,dns,dns.question.subdomain,keyword,extended,,www,The subdomain of the domain. +8.11.0,true,dns,dns.question.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,dns,dns.question.type,keyword,extended,,AAAA,The type of record being queried. +8.11.0,true,dns,dns.resolved_ip,ip,extended,array,"[""10.10.10.10"", ""10.10.10.11""]",Array containing all IPs seen in answers.data +8.11.0,true,dns,dns.response_code,keyword,extended,,NOERROR,The DNS response code. +8.11.0,true,dns,dns.type,keyword,extended,,answer,"The type of DNS event captured, query or answer." +8.11.0,true,ecs,ecs.version,keyword,core,,1.0.0,ECS version this event conforms to. +8.11.0,true,email,email.attachments,nested,extended,array,,List of objects describing the attachments. +8.11.0,true,email,email.attachments.file.extension,keyword,extended,,txt,Attachment file extension. +8.11.0,true,email,email.attachments.file.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,email,email.attachments.file.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,email,email.attachments.file.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,email,email.attachments.file.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,email,email.attachments.file.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,email,email.attachments.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,email,email.attachments.file.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,email,email.attachments.file.mime_type,keyword,extended,,text/plain,MIME type of the attachment file. +8.11.0,true,email,email.attachments.file.name,keyword,extended,,attachment.txt,Name of the attachment file. +8.11.0,true,email,email.attachments.file.size,long,extended,,64329,Attachment file size. +8.11.0,true,email,email.bcc.address,keyword,extended,array,bcc.user1@example.com,Email address of BCC recipient +8.11.0,true,email,email.cc.address,keyword,extended,array,cc.user1@example.com,Email address of CC recipient +8.11.0,true,email,email.content_type,keyword,extended,,text/plain,MIME type of the email message. +8.11.0,true,email,email.delivery_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time when message was delivered. +8.11.0,true,email,email.direction,keyword,extended,,inbound,Direction of the message. +8.11.0,true,email,email.from.address,keyword,extended,array,sender@example.com,The sender's email address. +8.11.0,true,email,email.local_id,keyword,extended,,c26dbea0-80d5-463b-b93c-4e8b708219ce,Unique identifier given by the source. +8.11.0,true,email,email.message_id,keyword,extended,,81ce15$8r2j59@mail01.example.com,Value from the Message-ID header. +8.11.0,true,email,email.origination_timestamp,date,extended,,2020-11-10T22:12:34.8196921Z,Date and time the email was composed. +8.11.0,true,email,email.reply_to.address,keyword,extended,array,reply.here@example.com,Address replies should be delivered to. +8.11.0,true,email,email.sender.address,keyword,extended,,,Address of the message sender. +8.11.0,true,email,email.subject,keyword,extended,,Please see this important message.,The subject of the email message. +8.11.0,true,email,email.subject.text,keyword,extended,,Please see this important message.,The subject of the email message. +8.11.0,true,email,email.to.address,keyword,extended,array,user1@example.com,Email address of recipient +8.11.0,true,email,email.x_mailer,keyword,extended,,Spambot v2.5,Application that drafted email. +8.11.0,true,error,error.code,keyword,core,,,Error code describing the error. +8.11.0,true,error,error.id,keyword,core,,,Unique identifier for the error. +8.11.0,true,error,error.message,keyword,core,,,Error message. +8.11.0,true,error,error.stack_trace,keyword,extended,,,The stack trace of this error in plain text. +8.11.0,true,error,error.stack_trace.text,keyword,extended,,,The stack trace of this error in plain text. +8.11.0,true,error,error.type,keyword,extended,,java.lang.NullPointerException,"The type of the error, for example the class name of the exception." +8.11.0,true,event,event.action,keyword,core,,user-password-change,The action captured by the event. +8.11.0,true,event,event.agent_id_status,keyword,extended,,verified,Validation status of the event's agent.id field. +8.11.0,true,event,event.category,keyword,core,array,authentication,Event category. The second categorization field in the hierarchy. +8.11.0,true,event,event.changed_fields,keyword,custom,array,"[""foo"", ""bar""]",Fields that were updated since last scan. +8.11.0,true,event,event.code,keyword,extended,,4648,Identification code for this event. +8.11.0,true,event,event.collector,keyword,custom,,file,Collector used to retrieve the event. +8.11.0,true,event,event.created,date,core,,2016-05-23T08:05:34.857Z,Time when the event was first read by an agent or by your pipeline. +8.11.0,true,event,event.dataset,keyword,core,,apache.access,Name of the dataset. +8.11.0,true,event,event.duration,long,core,,,Duration of the event in nanoseconds. +8.11.0,true,event,event.end,date,extended,,,`event.end` contains the date when the event ended or when the activity was last observed. +8.11.0,true,event,event.hash,keyword,extended,,123456789012345678901234567890ABCD,Hash (perhaps logstash fingerprint) of raw field to be able to demonstrate log integrity. +8.11.0,true,event,event.id,keyword,core,,8a4f500d,Unique ID to describe the event. +8.11.0,true,event,event.ingested,date,core,,2016-05-23T08:05:35.101Z,Timestamp when an event arrived in the central data store. +8.11.0,true,event,event.kind,keyword,core,,alert,The kind of the event. The highest categorization field in the hierarchy. +8.11.0,true,event,event.module,keyword,core,,apache,Name of the module this data is coming from. +8.11.0,false,event,event.original,keyword,core,,Sep 19 08:26:10 host CEF:0|Security| threatmanager|1.0|100| worm successfully stopped|10|src=10.0.0.1 dst=2.1.2.2spt=1232,Raw text message of entire event. +8.11.0,true,event,event.outcome,keyword,core,,success,The outcome of the event. The lowest level categorization field in the hierarchy. +8.11.0,true,event,event.provider,keyword,extended,,kernel,Source of the event. +8.11.0,true,event,event.reason,keyword,extended,,Terminated an unexpected process,"Reason why this event happened, according to the source" +8.11.0,true,event,event.reference,keyword,extended,,https://system.example.com/event/#0001234,Event reference URL +8.11.0,true,event,event.risk_score,float,core,,,Risk score or priority of the event (e.g. security solutions). Use your system's original value here. +8.11.0,true,event,event.risk_score_norm,float,extended,,,Normalized risk score or priority of the event (0-100). +8.11.0,true,event,event.sequence,long,extended,,,Sequence number of the event. +8.11.0,true,event,event.severity,long,core,,7,Numeric severity of the event. +8.11.0,true,event,event.start,date,extended,,,`event.start` contains the date when the event started or when the activity was first observed. +8.11.0,true,event,event.timezone,keyword,extended,,,Event time zone. +8.11.0,true,event,event.type,keyword,core,array,,Event type. The third categorization field in the hierarchy. +8.11.0,true,event,event.url,keyword,extended,,https://mysystem.example.com/alert/5271dedb-f5b0-4218-87f0-4ac4870a38fe,Event investigation URL +8.11.0,true,faas,faas.coldstart,boolean,extended,,,Boolean value indicating a cold start of a function. +8.11.0,true,faas,faas.execution,keyword,extended,,af9d5aa4-a685-4c5f-a22b-444f80b3cc28,The execution ID of the current function execution. +8.11.0,true,faas,faas.id,keyword,extended,,arn:aws:lambda:us-west-2:123456789012:function:my-function,The unique identifier of a serverless function. +8.11.0,true,faas,faas.name,keyword,extended,,my-function,The name of a serverless function. +8.11.0,true,faas,faas.trigger.request_id,keyword,extended,,123456789,"The ID of the trigger request , message, event, etc." +8.11.0,true,faas,faas.trigger.type,keyword,extended,,http,The trigger for the function execution. +8.11.0,true,faas,faas.version,keyword,extended,,123,The version of a serverless function. +8.11.0,true,file,file.accessed,date,extended,,,Last time the file was accessed. +8.11.0,true,file,file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +8.11.0,true,file,file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +8.11.0,true,file,file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.11.0,true,file,file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +8.11.0,true,file,file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +8.11.0,true,file,file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +8.11.0,true,file,file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +8.11.0,true,file,file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +8.11.0,true,file,file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +8.11.0,true,file,file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.11.0,true,file,file.created,date,extended,,,File creation time. +8.11.0,true,file,file.ctime,date,extended,,,Last time the file attributes or metadata changed. +8.11.0,true,file,file.device,keyword,extended,,sda,Device that is the source of the file. +8.11.0,true,file,file.directory,keyword,extended,,/home/alice,Directory where the file is located. +8.11.0,true,file,file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +8.11.0,true,file,file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +8.11.0,true,file,file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +8.11.0,true,file,file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +8.11.0,true,file,file.elf.creation_date,date,extended,,,Build or compile date. +8.11.0,true,file,file.elf.exports,flat_object,extended,array,,List of exported element names and types. +8.11.0,true,file,file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +8.11.0,true,file,file.elf.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,file,file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,file,file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,file,file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,file,file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +8.11.0,true,file,file.elf.header.class,keyword,extended,,,Header class of the ELF file. +8.11.0,true,file,file.elf.header.data,keyword,extended,,,Data table of the ELF header. +8.11.0,true,file,file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +8.11.0,true,file,file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +8.11.0,true,file,file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +8.11.0,true,file,file.elf.header.type,keyword,extended,,,Header type of the ELF file. +8.11.0,true,file,file.elf.header.version,keyword,extended,,,Version of the ELF header. +8.11.0,true,file,file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +8.11.0,true,file,file.elf.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,file,file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,file,file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,file,file.elf.sections,nested,extended,array,,Section information of the ELF file. +8.11.0,true,file,file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +8.11.0,true,file,file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,file,file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +8.11.0,true,file,file.elf.sections.name,keyword,extended,,,ELF Section List name. +8.11.0,true,file,file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +8.11.0,true,file,file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +8.11.0,true,file,file.elf.sections.type,keyword,extended,,,ELF Section List type. +8.11.0,true,file,file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,file,file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +8.11.0,true,file,file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +8.11.0,true,file,file.elf.segments,nested,extended,array,,ELF object segment list. +8.11.0,true,file,file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +8.11.0,true,file,file.elf.segments.type,keyword,extended,,,ELF object segment type. +8.11.0,true,file,file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +8.11.0,true,file,file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +8.11.0,true,file,file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.11.0,true,file,file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +8.11.0,true,file,file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +8.11.0,true,file,file.group,keyword,extended,,alice,Primary group name of the file. +8.11.0,true,file,file.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,file,file.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,file,file.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,file,file.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,file,file.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,file,file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,file,file.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,file,file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +8.11.0,true,file,file.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +8.11.0,true,file,file.macho.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,file,file.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,file,file.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,file,file.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,file,file.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +8.11.0,true,file,file.macho.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,file,file.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,file,file.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,file,file.macho.sections,nested,extended,array,,Section information of the Mach-O file. +8.11.0,true,file,file.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,file,file.macho.sections.name,keyword,extended,,,Mach-O Section List name. +8.11.0,true,file,file.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +8.11.0,true,file,file.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,file,file.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,file,file.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +8.11.0,true,file,file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +8.11.0,true,file,file.mode,keyword,extended,,0640,Mode of the file in octal representation. +8.11.0,true,file,file.mtime,date,extended,,,Last time the file content was modified. +8.11.0,true,file,file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +8.11.0,true,file,file.owner,keyword,extended,,alice,File owner's username. +8.11.0,true,file,file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,file,file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,file,file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +8.11.0,true,file,file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +8.11.0,true,file,file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +8.11.0,true,file,file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +8.11.0,true,file,file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +8.11.0,true,file,file.pe.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,file,file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,file,file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,file,file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,file,file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +8.11.0,true,file,file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +8.11.0,true,file,file.pe.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,file,file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,file,file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,file,file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +8.11.0,true,file,file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +8.11.0,true,file,file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +8.11.0,true,file,file.pe.sections,nested,extended,array,,Section information of the PE file. +8.11.0,true,file,file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,file,file.pe.sections.name,keyword,extended,,,PE Section List name. +8.11.0,true,file,file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +8.11.0,true,file,file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,file,file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,file,file.size,long,extended,,16384,File size in bytes. +8.11.0,true,file,file.target_path,keyword,extended,,,Target path for symlinks. +8.11.0,true,file,file.target_path.text,keyword,extended,,,Target path for symlinks. +8.11.0,true,file,file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +8.11.0,true,file,file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +8.11.0,true,file,file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,file,file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,file,file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,file,file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,file,file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,file,file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,file,file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,file,file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,file,file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,file,file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,file,file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,file,file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,file,file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,file,file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,file,file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,file,file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,file,file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,file,file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,file,file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,file,file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,file,file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,file,file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,file,file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,file,file.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,group,group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,group,group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,group,group.name,keyword,extended,,,Name of the group. +8.11.0,true,host,host.architecture,keyword,core,,x86_64,Operating system architecture. +8.11.0,true,host,host.boot.id,keyword,extended,,88a1f0ed-5ae5-41ee-af6b-41921c311872,Linux boot uuid taken from /proc/sys/kernel/random/boot_id +8.11.0,true,host,host.cpu,object,custom,,"""name"": ""Intel(R) Core(TM) i7-7700HQ CPU"", ""cores"": 4, ""speed"": 2800",CPU-related data. +8.11.0,true,host,host.cpu.cores,long,custom,,4,Number of CPU cores. +8.11.0,true,host,host.cpu.name,keyword,custom,,Intel(R) Core(TM) i7-7700HQ CPU,CPU Model name. +8.11.0,true,host,host.cpu.speed,long,custom,,2800,CPU clock speed. +8.11.0,true,host,host.cpu.usage,scaled_float,extended,,,"Percent CPU used, between 0 and 1." +8.11.0,true,host,host.disk.read.bytes,long,extended,,,The number of bytes read by all disks. +8.11.0,true,host,host.disk.write.bytes,long,extended,,,The number of bytes written on all disks. +8.11.0,true,host,host.domain,keyword,extended,,CONTOSO,Name of the directory the group is a member of. +8.11.0,true,host,host.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,host,host.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,host,host.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,host,host.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,host,host.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,host,host.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,host,host.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,host,host.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,host,host.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,host,host.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,host,host.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,host,host.hostname,keyword,core,,,Hostname of the host. +8.11.0,true,host,host.id,keyword,core,,,Unique host id. +8.11.0,true,host,host.ip,ip,core,array,,Host ip addresses. +8.11.0,true,host,host.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",Host MAC addresses. +8.11.0,true,host,host.memory,object,custom,,"""total"": 100000, ""free"": 90000, ""used"": {""percentage"": 10}",Memory-related data. +8.11.0,true,host,host.memory.free,long,custom,,1024,Free memory in MB. +8.11.0,true,host,host.memory.total,long,custom,,1024,Total memory in MB. +8.11.0,true,host,host.memory.used,object,custom,,"""percentage"": 10",Used memory-related data. +8.11.0,true,host,host.memory.used.percentage,long,custom,,10,Used memory percentage. +8.11.0,true,host,host.name,keyword,core,,,Name of the host. +8.11.0,true,host,host.network.egress.bytes,long,extended,,,The number of bytes sent on all network interfaces. +8.11.0,true,host,host.network.egress.drops,long,custom,,10,Number of dropped transmitted packets. +8.11.0,true,host,host.network.egress.errors,long,custom,,10,Number of transmission errors. +8.11.0,true,host,host.network.egress.packets,long,extended,,,The number of packets sent on all network interfaces. +8.11.0,true,host,host.network.egress.queue,long,custom,,10,Transmit queue length. +8.11.0,true,host,host.network.ingress.bytes,long,extended,,,The number of bytes received on all network interfaces. +8.11.0,true,host,host.network.ingress.drops,long,custom,,10,Number of dropped received packets. +8.11.0,true,host,host.network.ingress.errors,long,custom,,10,Number of reception errors. +8.11.0,true,host,host.network.ingress.packets,long,extended,,,The number of packets received on all network interfaces. +8.11.0,true,host,host.network.ingress.queue,long,custom,,10,Receive queue length. +8.11.0,true,host,host.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +8.11.0,true,host,host.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,host,host.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,host,host.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +8.11.0,true,host,host.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,host,host.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,host,host.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +8.11.0,true,host,host.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +8.11.0,true,host,host.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +8.11.0,true,host,host.pid_ns_ino,keyword,extended,,256383,Pid namespace inode +8.11.0,true,host,host.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +8.11.0,true,host,host.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +8.11.0,true,host,host.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +8.11.0,true,host,host.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +8.11.0,true,host,host.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +8.11.0,true,host,host.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +8.11.0,true,host,host.type,keyword,core,,,Type of host. +8.11.0,true,host,host.uptime,long,extended,,1325,Seconds the host has been up. +8.11.0,true,http,http.request.body.bytes,long,extended,,887,Size in bytes of the request body. +8.11.0,true,http,http.request.body.content,keyword,extended,,Hello world,The full HTTP request body. +8.11.0,true,http,http.request.body.content.text,keyword,extended,,Hello world,The full HTTP request body. +8.11.0,true,http,http.request.bytes,long,extended,,1437,Total size in bytes of the request (body and headers). +8.11.0,true,http,http.request.id,keyword,extended,,123e4567-e89b-12d3-a456-426614174000,HTTP request ID. +8.11.0,true,http,http.request.method,keyword,extended,,POST,HTTP request method. +8.11.0,true,http,http.request.mime_type,keyword,extended,,image/gif,Mime type of the body of the request. +8.11.0,true,http,http.request.referrer,keyword,extended,,https://blog.example.com/,Referrer for this HTTP request. +8.11.0,true,http,http.response.body.bytes,long,extended,,887,Size in bytes of the response body. +8.11.0,true,http,http.response.body.content,keyword,extended,,Hello world,The full HTTP response body. +8.11.0,true,http,http.response.body.content.text,keyword,extended,,Hello world,The full HTTP response body. +8.11.0,true,http,http.response.bytes,long,extended,,1437,Total size in bytes of the response (body and headers). +8.11.0,true,http,http.response.mime_type,keyword,extended,,image/gif,Mime type of the body of the response. +8.11.0,true,http,http.response.status_code,long,extended,,404,HTTP response status code. +8.11.0,true,http,http.version,keyword,extended,,1.1,HTTP version. +8.11.0,true,interface,interface.alias,keyword,extended,,outside,Interface alias +8.11.0,true,interface,interface.id,keyword,extended,,10,Interface ID +8.11.0,true,interface,interface.mtu,long,custom,,1500,Maximum transmission unit size. +8.11.0,true,interface,interface.name,keyword,extended,,eth0,Interface name +8.11.0,true,interface,interface.state,keyword,custom,,up,State of the network interface. +8.11.0,true,interface,interface.type,keyword,custom,,ethernet,Interface type. +8.11.0,true,log,log.file.path,keyword,extended,,/var/log/fun-times.log,Full path to the log file this event came from. +8.11.0,true,log,log.level,keyword,core,,error,Log level of the log event. +8.11.0,true,log,log.logger,keyword,core,,org.elasticsearch.bootstrap.Bootstrap,Name of the logger. +8.11.0,true,log,log.origin.file.line,long,extended,,42,The line number of the file which originated the log event. +8.11.0,true,log,log.origin.file.name,keyword,extended,,Bootstrap.java,The code file which originated the log event. +8.11.0,true,log,log.origin.function,keyword,extended,,init,The function which originated the log event. +8.11.0,true,log,log.syslog,object,extended,,,Syslog metadata +8.11.0,true,log,log.syslog.appname,keyword,extended,,sshd,The device or application that originated the Syslog message. +8.11.0,true,log,log.syslog.facility.code,long,extended,,23,Syslog numeric facility of the event. +8.11.0,true,log,log.syslog.facility.name,keyword,extended,,local7,Syslog text-based facility of the event. +8.11.0,true,log,log.syslog.hostname,keyword,extended,,example-host,The host that originated the Syslog message. +8.11.0,true,log,log.syslog.msgid,keyword,extended,,ID47,An identifier for the type of Syslog message. +8.11.0,true,log,log.syslog.priority,long,extended,,135,Syslog priority of the event. +8.11.0,true,log,log.syslog.procid,keyword,extended,,12345,The process name or ID that originated the Syslog message. +8.11.0,true,log,log.syslog.severity.code,long,extended,,3,Syslog numeric severity of the event. +8.11.0,true,log,log.syslog.severity.name,keyword,extended,,Error,Syslog text-based severity of the event. +8.11.0,true,log,log.syslog.structured_data,flat_object,extended,,,Structured data expressed in RFC 5424 messages. +8.11.0,true,log,log.syslog.version,keyword,extended,,1,Syslog protocol version. +8.11.0,true,network,network.application,keyword,extended,,aim,Application level protocol name. +8.11.0,true,network,network.broadcast,ip,custom,,192.168.0.255,Broadcast address. +8.11.0,true,network,network.bytes,long,core,,368,Total bytes transferred in both directions. +8.11.0,true,network,network.community_id,keyword,extended,,1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=,A hash of source and destination IPs and ports. +8.11.0,true,network,network.dhcp,keyword,custom,,enabled,"DHCP status (enabled, disabled, unknown, BOOTP)." +8.11.0,true,network,network.direction,keyword,core,,inbound,Direction of the network traffic. +8.11.0,true,network,network.forwarded_ip,ip,core,,192.1.1.2,Host IP address when the source IP address is the proxy. +8.11.0,true,network,network.gateway,ip,custom,,192.168.0.1,Gateway address. +8.11.0,true,network,network.iana_number,keyword,extended,,6,IANA Protocol Number. +8.11.0,true,network,network.inner,object,extended,,,Inner VLAN tag information +8.11.0,true,network,network.inner.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +8.11.0,true,network,network.inner.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +8.11.0,true,network,network.metric,long,custom,,15,Metric of the network protocol. +8.11.0,true,network,network.name,keyword,extended,,Guest Wifi,Name given by operators to sections of their network. +8.11.0,true,network,network.netmask,ip,custom,,255.255.255.0,Network mask +8.11.0,true,network,network.packets,long,core,,24,Total packets transferred in both directions. +8.11.0,true,network,network.protocol,keyword,core,,http,Application protocol name. +8.11.0,true,network,network.transport,keyword,core,,tcp,Protocol Name corresponding to the field `iana_number`. +8.11.0,true,network,network.type,keyword,core,,ipv4,"In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc" +8.11.0,true,network,network.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +8.11.0,true,network,network.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +8.11.0,true,observer,observer.egress,object,extended,,,Object field for egress information +8.11.0,true,observer,observer.egress.interface.alias,keyword,extended,,outside,Interface alias +8.11.0,true,observer,observer.egress.interface.id,keyword,extended,,10,Interface ID +8.11.0,true,observer,observer.egress.interface.mtu,long,custom,,1500,Maximum transmission unit size. +8.11.0,true,observer,observer.egress.interface.name,keyword,extended,,eth0,Interface name +8.11.0,true,observer,observer.egress.interface.observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +8.11.0,true,observer,observer.egress.interface.observer.ingress.interface.id,keyword,extended,,10,Interface ID +8.11.0,true,observer,observer.egress.interface.observer.ingress.interface.mtu,long,custom,,1500,Maximum transmission unit size. +8.11.0,true,observer,observer.egress.interface.observer.ingress.interface.name,keyword,extended,,eth0,Interface name +8.11.0,true,observer,observer.egress.interface.observer.ingress.interface.state,keyword,custom,,up,State of the network interface. +8.11.0,true,observer,observer.egress.interface.observer.ingress.interface.type,keyword,custom,,ethernet,Interface type. +8.11.0,true,observer,observer.egress.interface.state,keyword,custom,,up,State of the network interface. +8.11.0,true,observer,observer.egress.interface.type,keyword,custom,,ethernet,Interface type. +8.11.0,true,observer,observer.egress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +8.11.0,true,observer,observer.egress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +8.11.0,true,observer,observer.egress.zone,keyword,extended,,Public_Internet,Observer Egress zone +8.11.0,true,observer,observer.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,observer,observer.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,observer,observer.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,observer,observer.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,observer,observer.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,observer,observer.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,observer,observer.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,observer,observer.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,observer,observer.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,observer,observer.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,observer,observer.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,observer,observer.hostname,keyword,core,,,Hostname of the observer. +8.11.0,true,observer,observer.ingress,object,extended,,,Object field for ingress information +8.11.0,true,observer,observer.ingress.interface.alias,keyword,extended,,outside,Interface alias +8.11.0,true,observer,observer.ingress.interface.id,keyword,extended,,10,Interface ID +8.11.0,true,observer,observer.ingress.interface.mtu,long,custom,,1500,Maximum transmission unit size. +8.11.0,true,observer,observer.ingress.interface.name,keyword,extended,,eth0,Interface name +8.11.0,true,observer,observer.ingress.interface.state,keyword,custom,,up,State of the network interface. +8.11.0,true,observer,observer.ingress.interface.type,keyword,custom,,ethernet,Interface type. +8.11.0,true,observer,observer.ingress.vlan.id,keyword,extended,,10,VLAN ID as reported by the observer. +8.11.0,true,observer,observer.ingress.vlan.name,keyword,extended,,outside,Optional VLAN name as reported by the observer. +8.11.0,true,observer,observer.ingress.zone,keyword,extended,,DMZ,Observer ingress zone +8.11.0,true,observer,observer.ip,ip,core,array,,IP addresses of the observer. +8.11.0,true,observer,observer.mac,keyword,core,array,"[""00-00-5E-00-53-23"", ""00-00-5E-00-53-24""]",MAC addresses of the observer. +8.11.0,true,observer,observer.name,keyword,extended,,1_proxySG,Custom name of the observer. +8.11.0,true,observer,observer.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +8.11.0,true,observer,observer.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,observer,observer.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,observer,observer.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +8.11.0,true,observer,observer.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,observer,observer.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,observer,observer.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +8.11.0,true,observer,observer.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +8.11.0,true,observer,observer.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +8.11.0,true,observer,observer.product,keyword,extended,,s200,The product name of the observer. +8.11.0,true,observer,observer.serial_number,keyword,extended,,,Observer serial number. +8.11.0,true,observer,observer.type,keyword,core,,firewall,The type of the observer the data is coming from. +8.11.0,true,observer,observer.vendor,keyword,core,,Symantec,Vendor name of the observer. +8.11.0,true,observer,observer.version,keyword,core,,,Observer version. +8.11.0,true,orchestrator,orchestrator.api_version,keyword,extended,,v1beta1,API version being used to carry out the action +8.11.0,true,orchestrator,orchestrator.cluster.id,keyword,extended,,,Unique ID of the cluster. +8.11.0,true,orchestrator,orchestrator.cluster.name,keyword,extended,,,Name of the cluster. +8.11.0,true,orchestrator,orchestrator.cluster.url,keyword,extended,,,URL of the API used to manage the cluster. +8.11.0,true,orchestrator,orchestrator.cluster.version,keyword,extended,,,The version of the cluster. +8.11.0,true,orchestrator,orchestrator.namespace,keyword,extended,,kube-system,Namespace in which the action is taking place. +8.11.0,true,orchestrator,orchestrator.organization,keyword,extended,,elastic,Organization affected by the event (for multi-tenant orchestrator setups). +8.11.0,true,orchestrator,orchestrator.resource.annotation,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of annotations added to the resource. +8.11.0,true,orchestrator,orchestrator.resource.id,keyword,extended,,,Unique ID of the resource being acted upon. +8.11.0,true,orchestrator,orchestrator.resource.ip,ip,extended,array,,IP address assigned to the resource associated with the event being observed. +8.11.0,true,orchestrator,orchestrator.resource.label,keyword,extended,array,"['key1:value1', 'key2:value2', 'key3:value3']",The list of labels added to the resource. +8.11.0,true,orchestrator,orchestrator.resource.name,keyword,extended,,test-pod-cdcws,Name of the resource being acted upon. +8.11.0,true,orchestrator,orchestrator.resource.parent.type,keyword,extended,,DaemonSet,Type or kind of the parent resource associated with the event being observed. +8.11.0,true,orchestrator,orchestrator.resource.type,keyword,extended,,service,Type of resource being acted upon. +8.11.0,true,orchestrator,orchestrator.type,keyword,extended,,kubernetes,"Orchestrator cluster type (e.g. kubernetes, nomad or cloudfoundry)." +8.11.0,true,organization,organization.id,keyword,extended,,,Unique identifier for the organization. +8.11.0,true,organization,organization.name,keyword,extended,,,Organization name. +8.11.0,true,organization,organization.name.text,keyword,extended,,,Organization name. +8.11.0,true,package,package.architecture,keyword,extended,,x86_64,Package architecture. +8.11.0,true,package,package.build_version,keyword,extended,,36f4f7e89dd61b0988b12ee000b98966867710cd,Build version information +8.11.0,true,package,package.checksum,keyword,extended,,68b329da9893e34099c7d8ad5cb9c940,Checksum of the installed package for verification. +8.11.0,true,package,package.description,keyword,extended,,Open source programming language to build simple/reliable/efficient software.,Description of the package. +8.11.0,true,package,package.install_scope,keyword,extended,,global,"Indicating how the package was installed, e.g. user-local, global." +8.11.0,true,package,package.installed,date,extended,,,Time when package was installed. +8.11.0,true,package,package.license,keyword,extended,,Apache License 2.0,Package license +8.11.0,true,package,package.name,keyword,extended,,go,Package name +8.11.0,true,package,package.path,keyword,extended,,/usr/local/Cellar/go/1.12.9/,Path where the package is installed. +8.11.0,true,package,package.reference,keyword,extended,,https://golang.org,Package home page or reference URL +8.11.0,true,package,package.size,long,extended,,62231,Package size in bytes. +8.11.0,true,package,package.type,keyword,extended,,rpm,Package type +8.11.0,true,package,package.version,keyword,extended,,1.12.9,Package version +8.11.0,true,policy,policy.description,keyword,custom,,"""The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise.""",Extended description of the policy. +8.11.0,true,policy,policy.file,keyword,custom,,cis_win11_enterprise.yml,The file name of the SCA policy. +8.11.0,true,policy,policy.id,keyword,custom,,cis_win11_enterprise_21H2,The ID of the SCA policy. +8.11.0,true,policy,policy.name,keyword,custom,,CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0,The name of the SCA policy. +8.11.0,true,policy,policy.references,keyword,custom,array,"[""https://www.cisecurity.org/cis-benchmarks/""]",References for the policy. +8.11.0,true,process,process.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +8.11.0,true,process,process.args_count,long,extended,,4,Length of the process.args array. +8.11.0,true,process,process.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +8.11.0,true,process,process.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.11.0,true,process,process.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +8.11.0,true,process,process.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +8.11.0,true,process,process.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +8.11.0,true,process,process.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +8.11.0,true,process,process.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +8.11.0,true,process,process.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +8.11.0,true,process,process.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.11.0,true,process,process.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.command_line.text,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +8.11.0,true,process,process.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +8.11.0,true,process,process.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +8.11.0,true,process,process.elf.creation_date,date,extended,,,Build or compile date. +8.11.0,true,process,process.elf.exports,flat_object,extended,array,,List of exported element names and types. +8.11.0,true,process,process.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +8.11.0,true,process,process.elf.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,process,process.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,process,process.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +8.11.0,true,process,process.elf.header.class,keyword,extended,,,Header class of the ELF file. +8.11.0,true,process,process.elf.header.data,keyword,extended,,,Data table of the ELF header. +8.11.0,true,process,process.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +8.11.0,true,process,process.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +8.11.0,true,process,process.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +8.11.0,true,process,process.elf.header.type,keyword,extended,,,Header type of the ELF file. +8.11.0,true,process,process.elf.header.version,keyword,extended,,,Version of the ELF header. +8.11.0,true,process,process.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +8.11.0,true,process,process.elf.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,process,process.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.elf.sections,nested,extended,array,,Section information of the ELF file. +8.11.0,true,process,process.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +8.11.0,true,process,process.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,process,process.elf.sections.flags,keyword,extended,,,ELF Section List flags. +8.11.0,true,process,process.elf.sections.name,keyword,extended,,,ELF Section List name. +8.11.0,true,process,process.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +8.11.0,true,process,process.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +8.11.0,true,process,process.elf.sections.type,keyword,extended,,,ELF Section List type. +8.11.0,true,process,process.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,process,process.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +8.11.0,true,process,process.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +8.11.0,true,process,process.elf.segments,nested,extended,array,,ELF object segment list. +8.11.0,true,process,process.elf.segments.sections,keyword,extended,,,ELF object segment sections. +8.11.0,true,process,process.elf.segments.type,keyword,extended,,,ELF object segment type. +8.11.0,true,process,process.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +8.11.0,true,process,process.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +8.11.0,true,process,process.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +8.11.0,true,process,process.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.entry_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +8.11.0,true,process,process.entry_leader.args_count,long,extended,,4,Length of the process.args array. +8.11.0,true,process,process.entry_leader.attested_groups.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.entry_leader.attested_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.entry_leader.attested_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.attested_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.entry_leader.command_line.text,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.entry_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.entry_leader.entry_meta.source.ip,ip,core,,,IP address of the source. +8.11.0,true,process,process.entry_leader.entry_meta.type,keyword,extended,,,The entry type for the entry session leader. +8.11.0,true,process,process.entry_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.entry_leader.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.entry_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.entry_leader.group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.entry_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +8.11.0,true,process,process.entry_leader.name,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.entry_leader.name.text,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.entry_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.entry_leader.parent.pid,long,core,,4242,Process id. +8.11.0,true,process,process.entry_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.entry_leader.parent.session_leader.pid,long,core,,4242,Process id. +8.11.0,true,process,process.entry_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.entry_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.entry_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.entry_leader.parent.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.entry_leader.pid,long,core,,4242,Process id. +8.11.0,true,process,process.entry_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.entry_leader.real_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.entry_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.entry_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.real_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +8.11.0,true,process,process.entry_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.entry_leader.saved_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.entry_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.entry_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.saved_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.entry_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.entry_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.entry_leader.tty,object,extended,,,Information about the controlling TTY device. +8.11.0,true,process,process.entry_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +8.11.0,true,process,process.entry_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +8.11.0,true,process,process.entry_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.entry_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.entry_leader.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.entry_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.entry_leader.working_directory.text,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.env_vars,keyword,extended,array,"[""PATH=/usr/local/bin:/usr/bin"", ""USER=ubuntu""]",Array of environment variable bindings. +8.11.0,true,process,process.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.exit_code,long,extended,,137,The exit code of the process. +8.11.0,true,process,process.group_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +8.11.0,true,process,process.group_leader.args_count,long,extended,,4,Length of the process.args array. +8.11.0,true,process,process.group_leader.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.group_leader.command_line.text,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.group_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.group_leader.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.group_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.group_leader.group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.group_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +8.11.0,true,process,process.group_leader.name,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.group_leader.name.text,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.group_leader.pid,long,core,,4242,Process id. +8.11.0,true,process,process.group_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.group_leader.real_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.group_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.group_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.group_leader.real_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.group_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +8.11.0,true,process,process.group_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.group_leader.saved_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.group_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.group_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.group_leader.saved_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.group_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.group_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.group_leader.tty,object,extended,,,Information about the controlling TTY device. +8.11.0,true,process,process.group_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +8.11.0,true,process,process.group_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +8.11.0,true,process,process.group_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.group_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.group_leader.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.group_leader.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.group_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.group_leader.working_directory.text,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,process,process.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,process,process.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,process,process.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,process,process.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,process,process.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,process,process.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,process,process.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +8.11.0,true,process,process.io,object,extended,,,A chunk of input or output (IO) from a single process. +8.11.0,true,process,process.io.bytes_skipped,object,extended,array,,An array of byte offsets and lengths denoting where IO data has been skipped. +8.11.0,true,process,process.io.bytes_skipped.length,long,extended,,,The length of bytes skipped. +8.11.0,true,process,process.io.bytes_skipped.offset,long,extended,,,The byte offset into this event's io.text (or io.bytes in the future) where length bytes were skipped. +8.11.0,true,process,process.io.max_bytes_per_process_exceeded,boolean,extended,,,"If true, the process producing the output has exceeded the max_kilobytes_per_process configuration setting." +8.11.0,true,process,process.io.text,keyword,extended,,,A chunk of output or input sanitized to UTF-8. +8.11.0,true,process,process.io.total_bytes_captured,long,extended,,,The total number of bytes captured in this event. +8.11.0,true,process,process.io.total_bytes_skipped,long,extended,,,The total number of bytes that were not captured due to implementation restrictions such as buffer size limits. +8.11.0,true,process,process.io.type,keyword,extended,,,The type of object on which the IO action (read or write) was taken. +8.11.0,true,process,process.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +8.11.0,true,process,process.macho.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,process,process.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,process,process.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +8.11.0,true,process,process.macho.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,process,process.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.macho.sections,nested,extended,array,,Section information of the Mach-O file. +8.11.0,true,process,process.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,process,process.macho.sections.name,keyword,extended,,,Mach-O Section List name. +8.11.0,true,process,process.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +8.11.0,true,process,process.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,process,process.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,process,process.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +8.11.0,true,process,process.name,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.name.text,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.parent.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +8.11.0,true,process,process.parent.args_count,long,extended,,4,Length of the process.args array. +8.11.0,true,process,process.parent.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +8.11.0,true,process,process.parent.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.11.0,true,process,process.parent.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +8.11.0,true,process,process.parent.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +8.11.0,true,process,process.parent.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +8.11.0,true,process,process.parent.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +8.11.0,true,process,process.parent.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +8.11.0,true,process,process.parent.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +8.11.0,true,process,process.parent.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.11.0,true,process,process.parent.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.parent.command_line.text,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.parent.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +8.11.0,true,process,process.parent.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +8.11.0,true,process,process.parent.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +8.11.0,true,process,process.parent.elf.creation_date,date,extended,,,Build or compile date. +8.11.0,true,process,process.parent.elf.exports,flat_object,extended,array,,List of exported element names and types. +8.11.0,true,process,process.parent.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +8.11.0,true,process,process.parent.elf.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,process,process.parent.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.parent.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.parent.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,process,process.parent.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +8.11.0,true,process,process.parent.elf.header.class,keyword,extended,,,Header class of the ELF file. +8.11.0,true,process,process.parent.elf.header.data,keyword,extended,,,Data table of the ELF header. +8.11.0,true,process,process.parent.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +8.11.0,true,process,process.parent.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +8.11.0,true,process,process.parent.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +8.11.0,true,process,process.parent.elf.header.type,keyword,extended,,,Header type of the ELF file. +8.11.0,true,process,process.parent.elf.header.version,keyword,extended,,,Version of the ELF header. +8.11.0,true,process,process.parent.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +8.11.0,true,process,process.parent.elf.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,process,process.parent.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.parent.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.parent.elf.sections,nested,extended,array,,Section information of the ELF file. +8.11.0,true,process,process.parent.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +8.11.0,true,process,process.parent.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,process,process.parent.elf.sections.flags,keyword,extended,,,ELF Section List flags. +8.11.0,true,process,process.parent.elf.sections.name,keyword,extended,,,ELF Section List name. +8.11.0,true,process,process.parent.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +8.11.0,true,process,process.parent.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +8.11.0,true,process,process.parent.elf.sections.type,keyword,extended,,,ELF Section List type. +8.11.0,true,process,process.parent.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,process,process.parent.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +8.11.0,true,process,process.parent.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +8.11.0,true,process,process.parent.elf.segments,nested,extended,array,,ELF object segment list. +8.11.0,true,process,process.parent.elf.segments.sections,keyword,extended,,,ELF object segment sections. +8.11.0,true,process,process.parent.elf.segments.type,keyword,extended,,,ELF object segment type. +8.11.0,true,process,process.parent.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +8.11.0,true,process,process.parent.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +8.11.0,true,process,process.parent.end,date,extended,,2016-05-23T08:05:34.853Z,The time the process ended. +8.11.0,true,process,process.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.parent.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.parent.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.parent.exit_code,long,extended,,137,The exit code of the process. +8.11.0,true,process,process.parent.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.parent.group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.parent.group_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.parent.group_leader.pid,long,core,,4242,Process id. +8.11.0,true,process,process.parent.group_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.parent.group_leader.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.parent.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,process,process.parent.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,process,process.parent.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,process,process.parent.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,process,process.parent.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,process,process.parent.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,process,process.parent.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,process,process.parent.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +8.11.0,true,process,process.parent.macho.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a Mach-O file. +8.11.0,true,process,process.parent.macho.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,process,process.parent.macho.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.parent.macho.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.parent.macho.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,process,process.parent.macho.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a Mach-O file. +8.11.0,true,process,process.parent.macho.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,process,process.parent.macho.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.parent.macho.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.parent.macho.sections,nested,extended,array,,Section information of the Mach-O file. +8.11.0,true,process,process.parent.macho.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,process,process.parent.macho.sections.name,keyword,extended,,,Mach-O Section List name. +8.11.0,true,process,process.parent.macho.sections.physical_size,long,extended,,,Mach-O Section List physical size. +8.11.0,true,process,process.parent.macho.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,process,process.parent.macho.sections.virtual_size,long,extended,,,Mach-O Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,process,process.parent.macho.symhash,keyword,extended,,d3ccf195b62a9279c3c19af1080497ec,A hash of the imports in a Mach-O file. +8.11.0,true,process,process.parent.name,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.parent.name.text,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.parent.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +8.11.0,true,process,process.parent.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +8.11.0,true,process,process.parent.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +8.11.0,true,process,process.parent.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +8.11.0,true,process,process.parent.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +8.11.0,true,process,process.parent.pe.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,process,process.parent.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.parent.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.parent.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,process,process.parent.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +8.11.0,true,process,process.parent.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +8.11.0,true,process,process.parent.pe.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,process,process.parent.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.parent.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.parent.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +8.11.0,true,process,process.parent.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +8.11.0,true,process,process.parent.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +8.11.0,true,process,process.parent.pe.sections,nested,extended,array,,Section information of the PE file. +8.11.0,true,process,process.parent.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,process,process.parent.pe.sections.name,keyword,extended,,,PE Section List name. +8.11.0,true,process,process.parent.pe.sections.physical_size,long,extended,,,PE Section List physical size. +8.11.0,true,process,process.parent.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,process,process.parent.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,process,process.parent.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. +8.11.0,true,process,process.parent.pid,long,core,,4242,Process id. +8.11.0,true,process,process.parent.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.parent.real_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.parent.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.parent.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.parent.real_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.parent.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.parent.saved_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.parent.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.parent.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.parent.saved_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.parent.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.parent.supplemental_groups.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.parent.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +8.11.0,true,process,process.parent.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +8.11.0,true,process,process.parent.thread.id,long,extended,,4242,Thread ID. +8.11.0,true,process,process.parent.thread.name,keyword,extended,,thread-0,Thread name. +8.11.0,true,process,process.parent.title,keyword,extended,,,Process title. +8.11.0,true,process,process.parent.title.text,keyword,extended,,,Process title. +8.11.0,true,process,process.parent.tty,object,extended,,,Information about the controlling TTY device. +8.11.0,true,process,process.parent.tty.char_device.major,long,extended,,4,The TTY character device's major number. +8.11.0,true,process,process.parent.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +8.11.0,true,process,process.parent.uptime,long,extended,,1325,Seconds the process has been up. +8.11.0,true,process,process.parent.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.parent.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.parent.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.parent.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.parent.working_directory,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.parent.working_directory.text,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +8.11.0,true,process,process.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +8.11.0,true,process,process.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +8.11.0,true,process,process.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +8.11.0,true,process,process.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +8.11.0,true,process,process.pe.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,process,process.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,process,process.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,process,process.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +8.11.0,true,process,process.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +8.11.0,true,process,process.pe.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,process,process.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,process,process.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +8.11.0,true,process,process.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +8.11.0,true,process,process.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +8.11.0,true,process,process.pe.sections,nested,extended,array,,Section information of the PE file. +8.11.0,true,process,process.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,process,process.pe.sections.name,keyword,extended,,,PE Section List name. +8.11.0,true,process,process.pe.sections.physical_size,long,extended,,,PE Section List physical size. +8.11.0,true,process,process.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,process,process.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,process,process.pgid,long,extended,,,Deprecated identifier of the group of processes the process belongs to. +8.11.0,true,process,process.pid,long,core,,4242,Process id. +8.11.0,true,process,process.previous.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +8.11.0,true,process,process.previous.args_count,long,extended,,4,Length of the process.args array. +8.11.0,true,process,process.previous.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.previous.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.real_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.real_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.saved_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.saved_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.args,keyword,extended,array,"[""/usr/bin/ssh"", ""-l"", ""user"", ""10.0.0.16""]",Array of process arguments. +8.11.0,true,process,process.session_leader.args_count,long,extended,,4,Length of the process.args array. +8.11.0,true,process,process.session_leader.command_line,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.session_leader.command_line.text,keyword,extended,,/usr/bin/ssh -l user 10.0.0.16,Full command line that started the process. +8.11.0,true,process,process.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.session_leader.executable,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.session_leader.executable.text,keyword,extended,,/usr/bin/ssh,Absolute path to the process executable. +8.11.0,true,process,process.session_leader.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.session_leader.group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.session_leader.interactive,boolean,extended,,True,Whether the process is connected to an interactive shell. +8.11.0,true,process,process.session_leader.name,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.session_leader.name.text,keyword,extended,,ssh,Process name. +8.11.0,true,process,process.session_leader.parent.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.session_leader.parent.pid,long,core,,4242,Process id. +8.11.0,true,process,process.session_leader.parent.session_leader.entity_id,keyword,extended,,c2c455d9f99375d,Unique identifier for the process. +8.11.0,true,process,process.session_leader.parent.session_leader.pid,long,core,,4242,Process id. +8.11.0,true,process,process.session_leader.parent.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.session_leader.parent.session_leader.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.session_leader.parent.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.session_leader.parent.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.session_leader.pid,long,core,,4242,Process id. +8.11.0,true,process,process.session_leader.real_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.session_leader.real_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.session_leader.real_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.session_leader.real_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.real_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.same_as_process,boolean,extended,,True,This boolean is used to identify if a leader process is the same as the top level process. +8.11.0,true,process,process.session_leader.saved_group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.session_leader.saved_group.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.session_leader.saved_user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.session_leader.saved_user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.saved_user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.session_leader.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.session_leader.supplemental_groups.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.session_leader.tty,object,extended,,,Information about the controlling TTY device. +8.11.0,true,process,process.session_leader.tty.char_device.major,long,extended,,4,The TTY character device's major number. +8.11.0,true,process,process.session_leader.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +8.11.0,true,process,process.session_leader.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.session_leader.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.session_leader.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.session_leader.working_directory,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.session_leader.working_directory.text,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.start,date,extended,,2016-05-23T08:05:34.853Z,The time the process started. +8.11.0,true,process,process.supplemental_groups.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,process,process.supplemental_groups.name,keyword,extended,,,Name of the group. +8.11.0,true,process,process.thread.capabilities.effective,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities used for permission checks. +8.11.0,true,process,process.thread.capabilities.permitted,keyword,extended,array,"[""CAP_BPF"", ""CAP_SYS_ADMIN""]",Array of capabilities a thread could assume. +8.11.0,true,process,process.thread.id,long,extended,,4242,Thread ID. +8.11.0,true,process,process.thread.name,keyword,extended,,thread-0,Thread name. +8.11.0,true,process,process.title,keyword,extended,,,Process title. +8.11.0,true,process,process.title.text,keyword,extended,,,Process title. +8.11.0,true,process,process.tty,object,extended,,,Information about the controlling TTY device. +8.11.0,true,process,process.tty.char_device.major,long,extended,,4,The TTY character device's major number. +8.11.0,true,process,process.tty.char_device.minor,long,extended,,1,The TTY character device's minor number. +8.11.0,true,process,process.tty.columns,long,extended,,80,The number of character columns per line. e.g terminal width +8.11.0,true,process,process.tty.rows,long,extended,,24,The number of character rows in the terminal. e.g terminal height +8.11.0,true,process,process.uptime,long,extended,,1325,Seconds the process has been up. +8.11.0,true,process,process.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,process,process.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,process,process.vpid,long,core,,4242,Virtual process id. +8.11.0,true,process,process.working_directory,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,process,process.working_directory.text,keyword,extended,,/home/alice,The working directory of the process. +8.11.0,true,registry,registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +8.11.0,true,registry,registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +8.11.0,true,registry,registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +8.11.0,true,registry,registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +8.11.0,true,registry,registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +8.11.0,true,registry,registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +8.11.0,true,registry,registry.value,keyword,core,,Debugger,Name of the value written. +8.11.0,true,related,related.hash,keyword,extended,array,,All the hashes seen on your event. +8.11.0,true,related,related.hosts,keyword,extended,array,,All the host identifiers seen on your event. +8.11.0,true,related,related.ip,ip,extended,array,,All of the IPs seen on your event. +8.11.0,true,related,related.user,keyword,extended,array,,All the user names or other user identifiers seen on the event. +8.11.0,true,rule,rule.author,keyword,extended,array,"[""Star-Lord""]",Rule author +8.11.0,true,rule,rule.category,keyword,extended,,Attempted Information Leak,Rule category +8.11.0,true,rule,rule.description,keyword,extended,,Block requests to public DNS over HTTPS / TLS protocols,Rule description +8.11.0,true,rule,rule.id,keyword,extended,,101,Rule ID +8.11.0,true,rule,rule.license,keyword,extended,,Apache 2.0,Rule license +8.11.0,true,rule,rule.name,keyword,extended,,BLOCK_DNS_over_TLS,Rule name +8.11.0,true,rule,rule.reference,keyword,extended,,https://en.wikipedia.org/wiki/DNS_over_TLS,Rule reference URL +8.11.0,true,rule,rule.ruleset,keyword,extended,,Standard_Protocol_Filters,Rule ruleset +8.11.0,true,rule,rule.uuid,keyword,extended,,1100110011,Rule UUID +8.11.0,true,rule,rule.version,keyword,extended,,1.1,Rule version +8.11.0,true,server,server.address,keyword,extended,,,Server network address. +8.11.0,true,server,server.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.11.0,true,server,server.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.11.0,true,server,server.as.organization.name.text,keyword,extended,,Google LLC,Organization name. +8.11.0,true,server,server.bytes,long,core,,184,Bytes sent from the server to the client. +8.11.0,true,server,server.domain,keyword,core,,foo.example.com,The domain name of the server. +8.11.0,true,server,server.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,server,server.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,server,server.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,server,server.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,server,server.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,server,server.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,server,server.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,server,server.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,server,server.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,server,server.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,server,server.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,server,server.ip,ip,core,,,IP address of the server. +8.11.0,true,server,server.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the server. +8.11.0,true,server,server.nat.ip,ip,extended,,,Server NAT ip +8.11.0,true,server,server.nat.port,long,extended,,,Server NAT port +8.11.0,true,server,server.packets,long,core,,12,Packets sent from the server to the client. +8.11.0,true,server,server.port,long,core,,,Port of the server. +8.11.0,true,server,server.registered_domain,keyword,extended,,example.com,"The highest registered server domain, stripped of the subdomain." +8.11.0,true,server,server.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,server,server.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,server,server.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,server,server.user.email,keyword,extended,,,User email address. +8.11.0,true,server,server.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,server,server.user.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,server,server.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,server,server.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,server,server.user.group.name,keyword,extended,,,Name of the group. +8.11.0,true,server,server.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,server,server.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,server,server.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,server,server.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,server,server.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,service,service.address,keyword,extended,,172.26.0.2:5432,Address of this service. +8.11.0,true,service,service.environment,keyword,extended,,production,Environment of the service. +8.11.0,true,service,service.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +8.11.0,true,service,service.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +8.11.0,true,service,service.name,keyword,core,,elasticsearch-metrics,Name of the service. +8.11.0,true,service,service.node.name,keyword,extended,,instance-0000000016,Name of the service node. +8.11.0,true,service,service.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +8.11.0,true,service,service.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +8.11.0,true,service,service.origin.address,keyword,extended,,172.26.0.2:5432,Address of this service. +8.11.0,true,service,service.origin.environment,keyword,extended,,production,Environment of the service. +8.11.0,true,service,service.origin.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +8.11.0,true,service,service.origin.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +8.11.0,true,service,service.origin.name,keyword,core,,elasticsearch-metrics,Name of the service. +8.11.0,true,service,service.origin.node.name,keyword,extended,,instance-0000000016,Name of the service node. +8.11.0,true,service,service.origin.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +8.11.0,true,service,service.origin.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +8.11.0,true,service,service.origin.state,keyword,core,,,Current state of the service. +8.11.0,true,service,service.origin.type,keyword,core,,elasticsearch,The type of the service. +8.11.0,true,service,service.origin.version,keyword,core,,3.2.4,Version of the service. +8.11.0,true,service,service.state,keyword,core,,,Current state of the service. +8.11.0,true,service,service.target.address,keyword,extended,,172.26.0.2:5432,Address of this service. +8.11.0,true,service,service.target.environment,keyword,extended,,production,Environment of the service. +8.11.0,true,service,service.target.ephemeral_id,keyword,extended,,8a4f500f,Ephemeral identifier of this service. +8.11.0,true,service,service.target.id,keyword,core,,d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6,Unique identifier of the running service. +8.11.0,true,service,service.target.name,keyword,core,,elasticsearch-metrics,Name of the service. +8.11.0,true,service,service.target.node.name,keyword,extended,,instance-0000000016,Name of the service node. +8.11.0,true,service,service.target.node.role,keyword,extended,,background_tasks,Deprecated role (singular) of the service node. +8.11.0,true,service,service.target.node.roles,keyword,extended,array,"[""ui"", ""background_tasks""]",Roles of the service node. +8.11.0,true,service,service.target.state,keyword,core,,,Current state of the service. +8.11.0,true,service,service.target.type,keyword,core,,elasticsearch,The type of the service. +8.11.0,true,service,service.target.version,keyword,core,,3.2.4,Version of the service. +8.11.0,true,service,service.type,keyword,core,,elasticsearch,The type of the service. +8.11.0,true,service,service.version,keyword,core,,3.2.4,Version of the service. +8.11.0,true,source,source.address,keyword,extended,,,Source network address. +8.11.0,true,source,source.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.11.0,true,source,source.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.11.0,true,source,source.as.organization.name.text,keyword,extended,,Google LLC,Organization name. +8.11.0,true,source,source.bytes,long,core,,184,Bytes sent from the source to the destination. +8.11.0,true,source,source.domain,keyword,core,,foo.example.com,The domain name of the source. +8.11.0,true,source,source.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,source,source.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,source,source.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,source,source.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,source,source.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,source,source.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,source,source.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,source,source.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,source,source.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,source,source.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,source,source.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,source,source.ip,ip,core,,,IP address of the source. +8.11.0,true,source,source.mac,keyword,core,,00-00-5E-00-53-23,MAC address of the source. +8.11.0,true,source,source.nat.ip,ip,extended,,,Source NAT ip +8.11.0,true,source,source.nat.port,long,extended,,,Source NAT port +8.11.0,true,source,source.packets,long,core,,12,Packets sent from the source to the destination. +8.11.0,true,source,source.port,long,core,,,Port of the source. +8.11.0,true,source,source.registered_domain,keyword,extended,,example.com,"The highest registered source domain, stripped of the subdomain." +8.11.0,true,source,source.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,source,source.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,source,source.user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,source,source.user.email,keyword,extended,,,User email address. +8.11.0,true,source,source.user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,source,source.user.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,source,source.user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,source,source.user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,source,source.user.group.name,keyword,extended,,,Name of the group. +8.11.0,true,source,source.user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,source,source.user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,source,source.user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,source,source.user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace. +8.11.0,true,threat,threat.enrichments,nested,extended,array,,List of objects containing indicators enriching the event. +8.11.0,true,threat,threat.enrichments.indicator,object,extended,,,Object containing indicators enriching the event. +8.11.0,true,threat,threat.enrichments.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.11.0,true,threat,threat.enrichments.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.11.0,true,threat,threat.enrichments.indicator.as.organization.name.text,keyword,extended,,Google LLC,Organization name. +8.11.0,true,threat,threat.enrichments.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +8.11.0,true,threat,threat.enrichments.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +8.11.0,true,threat,threat.enrichments.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +8.11.0,true,threat,threat.enrichments.indicator.file.accessed,date,extended,,,Last time the file was accessed. +8.11.0,true,threat,threat.enrichments.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +8.11.0,true,threat,threat.enrichments.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.11.0,true,threat,threat.enrichments.indicator.file.created,date,extended,,,File creation time. +8.11.0,true,threat,threat.enrichments.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +8.11.0,true,threat,threat.enrichments.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +8.11.0,true,threat,threat.enrichments.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +8.11.0,true,threat,threat.enrichments.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.exports,flat_object,extended,array,,List of exported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +8.11.0,true,threat,threat.enrichments.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +8.11.0,true,threat,threat.enrichments.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.11.0,true,threat,threat.enrichments.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +8.11.0,true,threat,threat.enrichments.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +8.11.0,true,threat,threat.enrichments.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,threat,threat.enrichments.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,threat,threat.enrichments.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +8.11.0,true,threat,threat.enrichments.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +8.11.0,true,threat,threat.enrichments.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +8.11.0,true,threat,threat.enrichments.indicator.file.mtime,date,extended,,,Last time the file content was modified. +8.11.0,true,threat,threat.enrichments.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +8.11.0,true,threat,threat.enrichments.indicator.file.owner,keyword,extended,,alice,File owner's username. +8.11.0,true,threat,threat.enrichments.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,threat,threat.enrichments.indicator.file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,threat,threat.enrichments.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +8.11.0,true,threat,threat.enrichments.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +8.11.0,true,threat,threat.enrichments.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +8.11.0,true,threat,threat.enrichments.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +8.11.0,true,threat,threat.enrichments.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,threat,threat.enrichments.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,threat,threat.enrichments.indicator.file.size,long,extended,,16384,File size in bytes. +8.11.0,true,threat,threat.enrichments.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +8.11.0,true,threat,threat.enrichments.indicator.file.target_path.text,keyword,extended,,,Target path for symlinks. +8.11.0,true,threat,threat.enrichments.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +8.11.0,true,threat,threat.enrichments.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.enrichments.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,threat,threat.enrichments.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,threat,threat.enrichments.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.enrichments.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,threat,threat.enrichments.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +8.11.0,true,threat,threat.enrichments.indicator.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,threat,threat.enrichments.indicator.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,threat,threat.enrichments.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,threat,threat.enrichments.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,threat,threat.enrichments.indicator.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,threat,threat.enrichments.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,threat,threat.enrichments.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,threat,threat.enrichments.indicator.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,threat,threat.enrichments.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,threat,threat.enrichments.indicator.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,threat,threat.enrichments.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,threat,threat.enrichments.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +8.11.0,true,threat,threat.enrichments.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +8.11.0,true,threat,threat.enrichments.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +8.11.0,true,threat,threat.enrichments.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +8.11.0,true,threat,threat.enrichments.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +8.11.0,true,threat,threat.enrichments.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +8.11.0,true,threat,threat.enrichments.indicator.port,long,extended,,443,Indicator port +8.11.0,true,threat,threat.enrichments.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +8.11.0,true,threat,threat.enrichments.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +8.11.0,true,threat,threat.enrichments.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +8.11.0,true,threat,threat.enrichments.indicator.registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +8.11.0,true,threat,threat.enrichments.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +8.11.0,true,threat,threat.enrichments.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +8.11.0,true,threat,threat.enrichments.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +8.11.0,true,threat,threat.enrichments.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +8.11.0,true,threat,threat.enrichments.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +8.11.0,true,threat,threat.enrichments.indicator.scanner_stats,long,extended,,4,Scanner statistics +8.11.0,true,threat,threat.enrichments.indicator.sightings,long,extended,,20,Number of times indicator observed +8.11.0,true,threat,threat.enrichments.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +8.11.0,true,threat,threat.enrichments.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +8.11.0,true,threat,threat.enrichments.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +8.11.0,true,threat,threat.enrichments.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +8.11.0,true,threat,threat.enrichments.indicator.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.11.0,true,threat,threat.enrichments.indicator.url.full.text,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.11.0,true,threat,threat.enrichments.indicator.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.11.0,true,threat,threat.enrichments.indicator.url.original.text,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.11.0,true,threat,threat.enrichments.indicator.url.password,keyword,extended,,,Password of the request. +8.11.0,true,threat,threat.enrichments.indicator.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +8.11.0,true,threat,threat.enrichments.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +8.11.0,true,threat,threat.enrichments.indicator.url.query,keyword,extended,,,Query string of the request. +8.11.0,true,threat,threat.enrichments.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +8.11.0,true,threat,threat.enrichments.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +8.11.0,true,threat,threat.enrichments.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,threat,threat.enrichments.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,threat,threat.enrichments.indicator.url.username,keyword,extended,,,Username of the request. +8.11.0,true,threat,threat.enrichments.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.enrichments.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,threat,threat.enrichments.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,threat,threat.enrichments.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,threat,threat.enrichments.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,threat,threat.enrichments.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,threat,threat.enrichments.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,threat,threat.enrichments.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,threat,threat.enrichments.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,threat,threat.enrichments.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.enrichments.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,threat,threat.enrichments.matched.atomic,keyword,extended,,bad-domain.com,Matched indicator value +8.11.0,true,threat,threat.enrichments.matched.field,keyword,extended,,file.hash.sha256,Matched indicator field +8.11.0,true,threat,threat.enrichments.matched.id,keyword,extended,,ff93aee5-86a1-4a61-b0e6-0cdc313d01b5,Matched indicator identifier +8.11.0,true,threat,threat.enrichments.matched.index,keyword,extended,,filebeat-8.0.0-2021.05.23-000011,Matched indicator index +8.11.0,true,threat,threat.enrichments.matched.occurred,date,extended,,2021-10-05T17:00:58.326Z,Date of match +8.11.0,true,threat,threat.enrichments.matched.type,keyword,extended,,indicator_match_rule,Type of indicator match +8.11.0,true,threat,threat.feed.dashboard_id,keyword,extended,,5ba16340-72e6-11eb-a3e3-b3cc7c78a70f,Feed dashboard ID. +8.11.0,true,threat,threat.feed.description,keyword,extended,,Threat feed from the AlienVault Open Threat eXchange network.,Description of the threat feed. +8.11.0,true,threat,threat.feed.name,keyword,extended,,AlienVault OTX,Name of the threat feed. +8.11.0,true,threat,threat.feed.reference,keyword,extended,,https://otx.alienvault.com,Reference for the threat feed. +8.11.0,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework. +8.11.0,true,threat,threat.group.alias,keyword,extended,array,"[ ""Magecart Group 6"" ]",Alias of the group. +8.11.0,true,threat,threat.group.id,keyword,extended,,G0037,ID of the group. +8.11.0,true,threat,threat.group.name,keyword,extended,,FIN6,Name of the group. +8.11.0,true,threat,threat.group.reference,keyword,extended,,https://attack.mitre.org/groups/G0037/,Reference URL of the group. +8.11.0,true,threat,threat.indicator.as.number,long,extended,,15169,Unique number allocated to the autonomous system. +8.11.0,true,threat,threat.indicator.as.organization.name,keyword,extended,,Google LLC,Organization name. +8.11.0,true,threat,threat.indicator.as.organization.name.text,keyword,extended,,Google LLC,Organization name. +8.11.0,true,threat,threat.indicator.confidence,keyword,extended,,Medium,Indicator confidence rating +8.11.0,true,threat,threat.indicator.description,keyword,extended,,IP x.x.x.x was observed delivering the Angler EK.,Indicator description +8.11.0,true,threat,threat.indicator.email.address,keyword,extended,,phish@example.com,Indicator email address +8.11.0,true,threat,threat.indicator.file.accessed,date,extended,,,Last time the file was accessed. +8.11.0,true,threat,threat.indicator.file.attributes,keyword,extended,array,"[""readonly"", ""system""]",Array of file attributes. +8.11.0,true,threat,threat.indicator.file.code_signature.digest_algorithm,keyword,extended,,sha256,Hashing algorithm used to sign the process. +8.11.0,true,threat,threat.indicator.file.code_signature.exists,boolean,core,,true,Boolean to capture if a signature is present. +8.11.0,true,threat,threat.indicator.file.code_signature.signing_id,keyword,extended,,com.apple.xpc.proxy,The identifier used to sign the process. +8.11.0,true,threat,threat.indicator.file.code_signature.status,keyword,extended,,ERROR_UNTRUSTED_ROOT,Additional information about the certificate status. +8.11.0,true,threat,threat.indicator.file.code_signature.subject_name,keyword,core,,Microsoft Corporation,Subject name of the code signer +8.11.0,true,threat,threat.indicator.file.code_signature.team_id,keyword,extended,,EQHXZ8M8AV,The team identifier used to sign the process. +8.11.0,true,threat,threat.indicator.file.code_signature.timestamp,date,extended,,2021-01-01T12:10:30Z,When the signature was generated and signed. +8.11.0,true,threat,threat.indicator.file.code_signature.trusted,boolean,extended,,true,Stores the trust status of the certificate chain. +8.11.0,true,threat,threat.indicator.file.code_signature.valid,boolean,extended,,true,Boolean to capture if the digital signature is verified against the binary content. +8.11.0,true,threat,threat.indicator.file.created,date,extended,,,File creation time. +8.11.0,true,threat,threat.indicator.file.ctime,date,extended,,,Last time the file attributes or metadata changed. +8.11.0,true,threat,threat.indicator.file.device,keyword,extended,,sda,Device that is the source of the file. +8.11.0,true,threat,threat.indicator.file.directory,keyword,extended,,/home/alice,Directory where the file is located. +8.11.0,true,threat,threat.indicator.file.drive_letter,keyword,extended,,C,Drive letter where the file is located. +8.11.0,true,threat,threat.indicator.file.elf.architecture,keyword,extended,,x86-64,Machine architecture of the ELF file. +8.11.0,true,threat,threat.indicator.file.elf.byte_order,keyword,extended,,Little Endian,Byte sequence of ELF file. +8.11.0,true,threat,threat.indicator.file.elf.cpu_type,keyword,extended,,Intel,CPU type of the ELF file. +8.11.0,true,threat,threat.indicator.file.elf.creation_date,date,extended,,,Build or compile date. +8.11.0,true,threat,threat.indicator.file.elf.exports,flat_object,extended,array,,List of exported element names and types. +8.11.0,true,threat,threat.indicator.file.elf.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in an ELF file. +8.11.0,true,threat,threat.indicator.file.elf.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,threat,threat.indicator.file.elf.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.indicator.file.elf.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.indicator.file.elf.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,threat,threat.indicator.file.elf.header.abi_version,keyword,extended,,,Version of the ELF Application Binary Interface (ABI). +8.11.0,true,threat,threat.indicator.file.elf.header.class,keyword,extended,,,Header class of the ELF file. +8.11.0,true,threat,threat.indicator.file.elf.header.data,keyword,extended,,,Data table of the ELF header. +8.11.0,true,threat,threat.indicator.file.elf.header.entrypoint,long,extended,,,Header entrypoint of the ELF file. +8.11.0,true,threat,threat.indicator.file.elf.header.object_version,keyword,extended,,,"""0x1"" for original ELF files." +8.11.0,true,threat,threat.indicator.file.elf.header.os_abi,keyword,extended,,,Application Binary Interface (ABI) of the Linux OS. +8.11.0,true,threat,threat.indicator.file.elf.header.type,keyword,extended,,,Header type of the ELF file. +8.11.0,true,threat,threat.indicator.file.elf.header.version,keyword,extended,,,Version of the ELF header. +8.11.0,true,threat,threat.indicator.file.elf.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in an ELF file. +8.11.0,true,threat,threat.indicator.file.elf.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,threat,threat.indicator.file.elf.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.indicator.file.elf.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.indicator.file.elf.sections,nested,extended,array,,Section information of the ELF file. +8.11.0,true,threat,threat.indicator.file.elf.sections.chi2,long,extended,,,Chi-square probability distribution of the section. +8.11.0,true,threat,threat.indicator.file.elf.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,threat,threat.indicator.file.elf.sections.flags,keyword,extended,,,ELF Section List flags. +8.11.0,true,threat,threat.indicator.file.elf.sections.name,keyword,extended,,,ELF Section List name. +8.11.0,true,threat,threat.indicator.file.elf.sections.physical_offset,keyword,extended,,,ELF Section List offset. +8.11.0,true,threat,threat.indicator.file.elf.sections.physical_size,long,extended,,,ELF Section List physical size. +8.11.0,true,threat,threat.indicator.file.elf.sections.type,keyword,extended,,,ELF Section List type. +8.11.0,true,threat,threat.indicator.file.elf.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,threat,threat.indicator.file.elf.sections.virtual_address,long,extended,,,ELF Section List virtual address. +8.11.0,true,threat,threat.indicator.file.elf.sections.virtual_size,long,extended,,,ELF Section List virtual size. +8.11.0,true,threat,threat.indicator.file.elf.segments,nested,extended,array,,ELF object segment list. +8.11.0,true,threat,threat.indicator.file.elf.segments.sections,keyword,extended,,,ELF object segment sections. +8.11.0,true,threat,threat.indicator.file.elf.segments.type,keyword,extended,,,ELF object segment type. +8.11.0,true,threat,threat.indicator.file.elf.shared_libraries,keyword,extended,array,,List of shared libraries used by this ELF object. +8.11.0,true,threat,threat.indicator.file.elf.telfhash,keyword,extended,,,telfhash hash for ELF file. +8.11.0,true,threat,threat.indicator.file.extension,keyword,extended,,png,"File extension, excluding the leading dot." +8.11.0,true,threat,threat.indicator.file.fork_name,keyword,extended,,Zone.Identifer,A fork is additional data associated with a filesystem object. +8.11.0,true,threat,threat.indicator.file.gid,keyword,extended,,1001,Primary group ID (GID) of the file. +8.11.0,true,threat,threat.indicator.file.group,keyword,extended,,alice,Primary group name of the file. +8.11.0,true,threat,threat.indicator.file.hash.md5,keyword,extended,,,MD5 hash. +8.11.0,true,threat,threat.indicator.file.hash.sha1,keyword,extended,,,SHA1 hash. +8.11.0,true,threat,threat.indicator.file.hash.sha256,keyword,extended,,,SHA256 hash. +8.11.0,true,threat,threat.indicator.file.hash.sha384,keyword,extended,,,SHA384 hash. +8.11.0,true,threat,threat.indicator.file.hash.sha512,keyword,extended,,,SHA512 hash. +8.11.0,true,threat,threat.indicator.file.hash.ssdeep,keyword,extended,,,SSDEEP hash. +8.11.0,true,threat,threat.indicator.file.hash.tlsh,keyword,extended,,,TLSH hash. +8.11.0,true,threat,threat.indicator.file.inode,keyword,extended,,256383,Inode representing the file in the filesystem. +8.11.0,true,threat,threat.indicator.file.mime_type,keyword,extended,,,"Media type of file, document, or arrangement of bytes." +8.11.0,true,threat,threat.indicator.file.mode,keyword,extended,,0640,Mode of the file in octal representation. +8.11.0,true,threat,threat.indicator.file.mtime,date,extended,,,Last time the file content was modified. +8.11.0,true,threat,threat.indicator.file.name,keyword,extended,,example.png,"Name of the file including the extension, without the directory." +8.11.0,true,threat,threat.indicator.file.owner,keyword,extended,,alice,File owner's username. +8.11.0,true,threat,threat.indicator.file.path,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,threat,threat.indicator.file.path.text,keyword,extended,,/home/alice/example.png,"Full path to the file, including the file name." +8.11.0,true,threat,threat.indicator.file.pe.architecture,keyword,extended,,x64,CPU architecture target for the file. +8.11.0,true,threat,threat.indicator.file.pe.company,keyword,extended,,Microsoft Corporation,"Internal company name of the file, provided at compile-time." +8.11.0,true,threat,threat.indicator.file.pe.description,keyword,extended,,Paint,"Internal description of the file, provided at compile-time." +8.11.0,true,threat,threat.indicator.file.pe.file_version,keyword,extended,,6.3.9600.17415,Process name. +8.11.0,true,threat,threat.indicator.file.pe.go_import_hash,keyword,extended,,10bddcb4cee42080f76c88d9ff964491,A hash of the Go language imports in a PE file. +8.11.0,true,threat,threat.indicator.file.pe.go_imports,flat_object,extended,,,List of imported Go language element names and types. +8.11.0,true,threat,threat.indicator.file.pe.go_imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.indicator.file.pe.go_imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of Go imports. +8.11.0,true,threat,threat.indicator.file.pe.go_stripped,boolean,extended,,,Whether the file is a stripped or obfuscated Go executable. +8.11.0,true,threat,threat.indicator.file.pe.imphash,keyword,extended,,0c6803c4e922103c4dca5963aad36ddf,A hash of the imports in a PE file. +8.11.0,true,threat,threat.indicator.file.pe.import_hash,keyword,extended,,d41d8cd98f00b204e9800998ecf8427e,A hash of the imports in a PE file. +8.11.0,true,threat,threat.indicator.file.pe.imports,flat_object,extended,array,,List of imported element names and types. +8.11.0,true,threat,threat.indicator.file.pe.imports_names_entropy,long,extended,,,Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.indicator.file.pe.imports_names_var_entropy,long,extended,,,Variance for Shannon entropy calculation from the list of imported element names and types. +8.11.0,true,threat,threat.indicator.file.pe.original_file_name,keyword,extended,,MSPAINT.EXE,"Internal name of the file, provided at compile-time." +8.11.0,true,threat,threat.indicator.file.pe.pehash,keyword,extended,,73ff189b63cd6be375a7ff25179a38d347651975,A hash of the PE header and data from one or more PE sections. +8.11.0,true,threat,threat.indicator.file.pe.product,keyword,extended,,Microsoft® Windows® Operating System,"Internal product name of the file, provided at compile-time." +8.11.0,true,threat,threat.indicator.file.pe.sections,nested,extended,array,,Section information of the PE file. +8.11.0,true,threat,threat.indicator.file.pe.sections.entropy,long,extended,,,Shannon entropy calculation from the section. +8.11.0,true,threat,threat.indicator.file.pe.sections.name,keyword,extended,,,PE Section List name. +8.11.0,true,threat,threat.indicator.file.pe.sections.physical_size,long,extended,,,PE Section List physical size. +8.11.0,true,threat,threat.indicator.file.pe.sections.var_entropy,long,extended,,,Variance for Shannon entropy calculation from the section. +8.11.0,true,threat,threat.indicator.file.pe.sections.virtual_size,long,extended,,,PE Section List virtual size. This is always the same as `physical_size`. +8.11.0,true,threat,threat.indicator.file.size,long,extended,,16384,File size in bytes. +8.11.0,true,threat,threat.indicator.file.target_path,keyword,extended,,,Target path for symlinks. +8.11.0,true,threat,threat.indicator.file.target_path.text,keyword,extended,,,Target path for symlinks. +8.11.0,true,threat,threat.indicator.file.type,keyword,extended,,file,"File type (file, dir, or symlink)." +8.11.0,true,threat,threat.indicator.file.uid,keyword,extended,,1001,The user ID (UID) or security identifier (SID) of the file owner. +8.11.0,true,threat,threat.indicator.file.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,threat,threat.indicator.file.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.file.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,threat,threat.indicator.file.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.file.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,threat,threat.indicator.file.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.file.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.file.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.indicator.file.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,threat,threat.indicator.file.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,threat,threat.indicator.file.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,threat,threat.indicator.file.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,threat,threat.indicator.file.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,threat,threat.indicator.file.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,threat,threat.indicator.file.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,threat,threat.indicator.file.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,threat,threat.indicator.file.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,threat,threat.indicator.file.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,threat,threat.indicator.file.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,threat,threat.indicator.file.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,threat,threat.indicator.file.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,threat,threat.indicator.file.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,threat,threat.indicator.file.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.indicator.file.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,threat,threat.indicator.first_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was first reported. +8.11.0,true,threat,threat.indicator.geo.city_name,keyword,core,,Montreal,City name. +8.11.0,true,threat,threat.indicator.geo.continent_code,keyword,core,,NA,Continent code. +8.11.0,true,threat,threat.indicator.geo.continent_name,keyword,core,,North America,Name of the continent. +8.11.0,true,threat,threat.indicator.geo.country_iso_code,keyword,core,,CA,Country ISO code. +8.11.0,true,threat,threat.indicator.geo.country_name,keyword,core,,Canada,Country name. +8.11.0,true,threat,threat.indicator.geo.location,geo_point,core,,"{ ""lon"": -73.614830, ""lat"": 45.505918 }",Longitude and latitude. +8.11.0,true,threat,threat.indicator.geo.name,keyword,extended,,boston-dc,User-defined description of a location. +8.11.0,true,threat,threat.indicator.geo.postal_code,keyword,core,,94040,Postal code. +8.11.0,true,threat,threat.indicator.geo.region_iso_code,keyword,core,,CA-QC,Region ISO code. +8.11.0,true,threat,threat.indicator.geo.region_name,keyword,core,,Quebec,Region name. +8.11.0,true,threat,threat.indicator.geo.timezone,keyword,core,,America/Argentina/Buenos_Aires,Time zone. +8.11.0,true,threat,threat.indicator.ip,ip,extended,,1.2.3.4,Indicator IP address +8.11.0,true,threat,threat.indicator.last_seen,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last reported. +8.11.0,true,threat,threat.indicator.marking.tlp,keyword,extended,,CLEAR,Indicator TLP marking +8.11.0,true,threat,threat.indicator.marking.tlp_version,keyword,extended,,2.0,Indicator TLP version +8.11.0,true,threat,threat.indicator.modified_at,date,extended,,2020-11-05T17:25:47.000Z,Date/time indicator was last updated. +8.11.0,true,threat,threat.indicator.name,keyword,extended,,5.2.75.227,Indicator display name +8.11.0,true,threat,threat.indicator.port,long,extended,,443,Indicator port +8.11.0,true,threat,threat.indicator.provider,keyword,extended,,lrz_urlhaus,Indicator provider +8.11.0,true,threat,threat.indicator.reference,keyword,extended,,https://system.example.com/indicator/0001234,Indicator reference URL +8.11.0,true,threat,threat.indicator.registry.data.bytes,keyword,extended,,ZQBuAC0AVQBTAAAAZQBuAAAAAAA=,Original bytes written with base64 encoding. +8.11.0,true,threat,threat.indicator.registry.data.strings,keyword,core,array,"[""C:\rta\red_ttp\bin\myapp.exe""]",List of strings representing what was written to the registry. +8.11.0,true,threat,threat.indicator.registry.data.type,keyword,core,,REG_SZ,Standard registry type for encoding contents +8.11.0,true,threat,threat.indicator.registry.hive,keyword,core,,HKLM,Abbreviated name for the hive. +8.11.0,true,threat,threat.indicator.registry.key,keyword,core,,SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe,Hive-relative path of keys. +8.11.0,true,threat,threat.indicator.registry.path,keyword,core,,HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winword.exe\Debugger,"Full path, including hive, key and value" +8.11.0,true,threat,threat.indicator.registry.value,keyword,core,,Debugger,Name of the value written. +8.11.0,true,threat,threat.indicator.scanner_stats,long,extended,,4,Scanner statistics +8.11.0,true,threat,threat.indicator.sightings,long,extended,,20,Number of times indicator observed +8.11.0,true,threat,threat.indicator.type,keyword,extended,,ipv4-addr,Type of indicator +8.11.0,true,threat,threat.indicator.url.domain,keyword,extended,,www.elastic.co,Domain of the url. +8.11.0,true,threat,threat.indicator.url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +8.11.0,true,threat,threat.indicator.url.fragment,keyword,extended,,,Portion of the url after the `#`. +8.11.0,true,threat,threat.indicator.url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.11.0,true,threat,threat.indicator.url.full.text,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.11.0,true,threat,threat.indicator.url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.11.0,true,threat,threat.indicator.url.original.text,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.11.0,true,threat,threat.indicator.url.password,keyword,extended,,,Password of the request. +8.11.0,true,threat,threat.indicator.url.path,keyword,extended,,,"Path of the request, such as ""/search""." +8.11.0,true,threat,threat.indicator.url.port,long,extended,,443,"Port of the request, such as 443." +8.11.0,true,threat,threat.indicator.url.query,keyword,extended,,,Query string of the request. +8.11.0,true,threat,threat.indicator.url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +8.11.0,true,threat,threat.indicator.url.scheme,keyword,extended,,https,Scheme of the url. +8.11.0,true,threat,threat.indicator.url.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,threat,threat.indicator.url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,threat,threat.indicator.url.username,keyword,extended,,,Username of the request. +8.11.0,true,threat,threat.indicator.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,threat,threat.indicator.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,threat,threat.indicator.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,threat,threat.indicator.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,threat,threat.indicator.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.indicator.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,threat,threat.indicator.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,threat,threat.indicator.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,threat,threat.indicator.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,threat,threat.indicator.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,threat,threat.indicator.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,threat,threat.indicator.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,threat,threat.indicator.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,threat,threat.indicator.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,threat,threat.indicator.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,threat,threat.indicator.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,threat,threat.indicator.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,threat,threat.indicator.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,threat,threat.indicator.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,threat,threat.indicator.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,threat,threat.indicator.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,threat,threat.software.alias,keyword,extended,array,"[ ""X-Agent"" ]",Alias of the software +8.11.0,true,threat,threat.software.id,keyword,extended,,S0552,ID of the software +8.11.0,true,threat,threat.software.name,keyword,extended,,AdFind,Name of the software. +8.11.0,true,threat,threat.software.platforms,keyword,extended,array,"[ ""Windows"" ]",Platforms of the software. +8.11.0,true,threat,threat.software.reference,keyword,extended,,https://attack.mitre.org/software/S0552/,Software reference URL. +8.11.0,true,threat,threat.software.type,keyword,extended,,Tool,Software type. +8.11.0,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id. +8.11.0,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic. +8.11.0,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference. +8.11.0,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id. +8.11.0,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name. +8.11.0,true,threat,threat.technique.name.text,keyword,extended,,Command and Scripting Interpreter,Threat technique name. +8.11.0,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference. +8.11.0,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id. +8.11.0,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name. +8.11.0,true,threat,threat.technique.subtechnique.name.text,keyword,extended,,PowerShell,Threat subtechnique name. +8.11.0,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference. +8.11.0,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection. +8.11.0,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. +8.11.0,true,tls,tls.client.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the client. +8.11.0,true,tls,tls.client.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the client. +8.11.0,true,tls,tls.client.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the client. +8.11.0,true,tls,tls.client.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the client. +8.11.0,true,tls,tls.client.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Distinguished name of subject of the issuer of the x.509 certificate presented by the client. +8.11.0,true,tls,tls.client.ja3,keyword,extended,,d4e5b18d6b55c71272893221c96ba240,A hash that identifies clients based on how they perform an SSL/TLS handshake. +8.11.0,true,tls,tls.client.not_after,date,extended,,2021-01-01T00:00:00.000Z,Date/Time indicating when client certificate is no longer considered valid. +8.11.0,true,tls,tls.client.not_before,date,extended,,1970-01-01T00:00:00.000Z,Date/Time indicating when client certificate is first considered valid. +8.11.0,true,tls,tls.client.server_name,keyword,extended,,www.elastic.co,Hostname the client is trying to connect to. Also called the SNI. +8.11.0,true,tls,tls.client.subject,keyword,extended,,"CN=myclient, OU=Documentation Team, DC=example, DC=com",Distinguished name of subject of the x.509 certificate presented by the client. +8.11.0,true,tls,tls.client.supported_ciphers,keyword,extended,array,"[""TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"", ""TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"", ""...""]",Array of ciphers offered by the client during the client hello. +8.11.0,true,tls,tls.client.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,tls,tls.client.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,tls,tls.client.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,tls,tls.client.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,tls,tls.client.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,tls,tls.client.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,tls,tls.client.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,tls,tls.client.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,tls,tls.client.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,tls,tls.client.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,tls,tls.client.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,tls,tls.client.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,tls,tls.client.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,tls,tls.client.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,tls,tls.client.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,tls,tls.client.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,tls,tls.client.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,tls,tls.client.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,tls,tls.client.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,tls,tls.client.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,tls,tls.client.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,tls,tls.client.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,tls,tls.client.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,tls,tls.client.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,tls,tls.curve,keyword,extended,,secp256r1,"String indicating the curve used for the given cipher, when applicable." +8.11.0,true,tls,tls.established,boolean,extended,,,Boolean flag indicating if the TLS negotiation was successful and transitioned to an encrypted tunnel. +8.11.0,true,tls,tls.next_protocol,keyword,extended,,http/1.1,String indicating the protocol being tunneled. +8.11.0,true,tls,tls.resumed,boolean,extended,,,Boolean flag indicating if this TLS connection was resumed from an existing TLS negotiation. +8.11.0,true,tls,tls.server.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the server. +8.11.0,true,tls,tls.server.certificate_chain,keyword,extended,array,"[""MII..."", ""MII...""]",Array of PEM-encoded certificates that make up the certificate chain offered by the server. +8.11.0,true,tls,tls.server.hash.md5,keyword,extended,,0F76C7F2C55BFD7D8E8B8F4BFBF0C9EC,Certificate fingerprint using the MD5 digest of DER-encoded version of certificate offered by the server. +8.11.0,true,tls,tls.server.hash.sha1,keyword,extended,,9E393D93138888D288266C2D915214D1D1CCEB2A,Certificate fingerprint using the SHA1 digest of DER-encoded version of certificate offered by the server. +8.11.0,true,tls,tls.server.hash.sha256,keyword,extended,,0687F666A054EF17A08E2F2162EAB4CBC0D265E1D7875BE74BF3C712CA92DAF0,Certificate fingerprint using the SHA256 digest of DER-encoded version of certificate offered by the server. +8.11.0,true,tls,tls.server.issuer,keyword,extended,,"CN=Example Root CA, OU=Infrastructure Team, DC=example, DC=com",Subject of the issuer of the x.509 certificate presented by the server. +8.11.0,true,tls,tls.server.ja3s,keyword,extended,,394441ab65754e2207b1e1b457b3641d,A hash that identifies servers based on how they perform an SSL/TLS handshake. +8.11.0,true,tls,tls.server.not_after,date,extended,,2021-01-01T00:00:00.000Z,Timestamp indicating when server certificate is no longer considered valid. +8.11.0,true,tls,tls.server.not_before,date,extended,,1970-01-01T00:00:00.000Z,Timestamp indicating when server certificate is first considered valid. +8.11.0,true,tls,tls.server.subject,keyword,extended,,"CN=www.example.com, OU=Infrastructure Team, DC=example, DC=com",Subject of the x.509 certificate presented by the server. +8.11.0,true,tls,tls.server.x509.alternative_names,keyword,extended,array,*.elastic.co,List of subject alternative names (SAN). +8.11.0,true,tls,tls.server.x509.issuer.common_name,keyword,extended,array,Example SHA2 High Assurance Server CA,List of common name (CN) of issuing certificate authority. +8.11.0,true,tls,tls.server.x509.issuer.country,keyword,extended,array,US,List of country \(C) codes +8.11.0,true,tls,tls.server.x509.issuer.distinguished_name,keyword,extended,,"C=US, O=Example Inc, OU=www.example.com, CN=Example SHA2 High Assurance Server CA",Distinguished name (DN) of issuing certificate authority. +8.11.0,true,tls,tls.server.x509.issuer.locality,keyword,extended,array,Mountain View,List of locality names (L) +8.11.0,true,tls,tls.server.x509.issuer.organization,keyword,extended,array,Example Inc,List of organizations (O) of issuing certificate authority. +8.11.0,true,tls,tls.server.x509.issuer.organizational_unit,keyword,extended,array,www.example.com,List of organizational units (OU) of issuing certificate authority. +8.11.0,true,tls,tls.server.x509.issuer.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,tls,tls.server.x509.not_after,date,extended,,2020-07-16T03:15:39Z,Time at which the certificate is no longer considered valid. +8.11.0,true,tls,tls.server.x509.not_before,date,extended,,2019-08-16T01:40:25Z,Time at which the certificate is first considered valid. +8.11.0,true,tls,tls.server.x509.public_key_algorithm,keyword,extended,,RSA,Algorithm used to generate the public key. +8.11.0,true,tls,tls.server.x509.public_key_curve,keyword,extended,,nistp521,The curve used by the elliptic curve public key algorithm. This is algorithm specific. +8.11.0,false,tls,tls.server.x509.public_key_exponent,long,extended,,65537,Exponent used to derive the public key. This is algorithm specific. +8.11.0,true,tls,tls.server.x509.public_key_size,long,extended,,2048,The size of the public key space in bits. +8.11.0,true,tls,tls.server.x509.serial_number,keyword,extended,,55FBB9C7DEBF09809D12CCAA,Unique serial number issued by the certificate authority. +8.11.0,true,tls,tls.server.x509.signature_algorithm,keyword,extended,,SHA256-RSA,Identifier for certificate signature algorithm. +8.11.0,true,tls,tls.server.x509.subject.common_name,keyword,extended,array,shared.global.example.net,List of common names (CN) of subject. +8.11.0,true,tls,tls.server.x509.subject.country,keyword,extended,array,US,List of country \(C) code +8.11.0,true,tls,tls.server.x509.subject.distinguished_name,keyword,extended,,"C=US, ST=California, L=San Francisco, O=Example, Inc., CN=shared.global.example.net",Distinguished name (DN) of the certificate subject entity. +8.11.0,true,tls,tls.server.x509.subject.locality,keyword,extended,array,San Francisco,List of locality names (L) +8.11.0,true,tls,tls.server.x509.subject.organization,keyword,extended,array,"Example, Inc.",List of organizations (O) of subject. +8.11.0,true,tls,tls.server.x509.subject.organizational_unit,keyword,extended,array,,List of organizational units (OU) of subject. +8.11.0,true,tls,tls.server.x509.subject.state_or_province,keyword,extended,array,California,"List of state or province names (ST, S, or P)" +8.11.0,true,tls,tls.server.x509.version_number,keyword,extended,,3,Version of x509 format. +8.11.0,true,tls,tls.version,keyword,extended,,1.2,Numeric part of the version parsed from the original string. +8.11.0,true,tls,tls.version_protocol,keyword,extended,,tls,Normalized lowercase protocol name parsed from original string. +8.11.0,true,trace,trace.id,keyword,extended,,4bf92f3577b34da6a3ce929d0e0e4736,Unique identifier of the trace. +8.11.0,true,transaction,transaction.id,keyword,extended,,00f067aa0ba902b7,Unique identifier of the transaction within the scope of its trace. +8.11.0,true,url,url.domain,keyword,extended,,www.elastic.co,Domain of the url. +8.11.0,true,url,url.extension,keyword,extended,,png,"File extension from the request url, excluding the leading dot." +8.11.0,true,url,url.fragment,keyword,extended,,,Portion of the url after the `#`. +8.11.0,true,url,url.full,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.11.0,true,url,url.full.text,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top,Full unparsed URL. +8.11.0,true,url,url.original,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.11.0,true,url,url.original.text,keyword,extended,,https://www.elastic.co:443/search?q=elasticsearch#top or /search?q=elasticsearch,Unmodified original url as seen in the event source. +8.11.0,true,url,url.password,keyword,extended,,,Password of the request. +8.11.0,true,url,url.path,keyword,extended,,,"Path of the request, such as ""/search""." +8.11.0,true,url,url.port,long,extended,,443,"Port of the request, such as 443." +8.11.0,true,url,url.query,keyword,extended,,,Query string of the request. +8.11.0,true,url,url.registered_domain,keyword,extended,,example.com,"The highest registered url domain, stripped of the subdomain." +8.11.0,true,url,url.scheme,keyword,extended,,https,Scheme of the url. +8.11.0,true,url,url.subdomain,keyword,extended,,east,The subdomain of the domain. +8.11.0,true,url,url.top_level_domain,keyword,extended,,co.uk,"The effective top level domain (com, org, net, co.uk)." +8.11.0,true,url,url.username,keyword,extended,,,Username of the request. +8.11.0,true,user,user.changes.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,user,user.changes.email,keyword,extended,,,User email address. +8.11.0,true,user,user.changes.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.changes.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.changes.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,user,user.changes.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,user,user.changes.group.name,keyword,extended,,,Name of the group. +8.11.0,true,user,user.changes.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,user,user.changes.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,user,user.changes.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.changes.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.changes.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,user,user.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,user,user.effective.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,user,user.effective.email,keyword,extended,,,User email address. +8.11.0,true,user,user.effective.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.effective.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.effective.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,user,user.effective.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,user,user.effective.group.name,keyword,extended,,,Name of the group. +8.11.0,true,user,user.effective.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,user,user.effective.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,user,user.effective.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.effective.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.effective.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,user,user.email,keyword,extended,,,User email address. +8.11.0,true,user,user.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,user,user.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,user,user.group.name,keyword,extended,,,Name of the group. +8.11.0,true,user,user.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,user,user.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,user,user.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.risk.calculated_level,keyword,extended,,High,A risk classification level calculated by an internal system as part of entity analytics and entity risk scoring. +8.11.0,true,user,user.risk.calculated_score,float,extended,,880.73,A risk classification score calculated by an internal system as part of entity analytics and entity risk scoring. +8.11.0,true,user,user.risk.calculated_score_norm,float,extended,,88.73,A normalized risk score calculated by an internal system. +8.11.0,true,user,user.risk.static_level,keyword,extended,,High,"A risk classification level obtained from outside the system, such as from some external Threat Intelligence Platform." +8.11.0,true,user,user.risk.static_score,float,extended,,830.0,"A risk classification score obtained from outside the system, such as from some external Threat Intelligence Platform." +8.11.0,true,user,user.risk.static_score_norm,float,extended,,83.0,A normalized risk score calculated by an external system. +8.11.0,true,user,user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,user,user.target.domain,keyword,extended,,,Name of the directory the user is a member of. +8.11.0,true,user,user.target.email,keyword,extended,,,User email address. +8.11.0,true,user,user.target.full_name,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.target.full_name.text,keyword,extended,,Albert Einstein,"User's full name, if available." +8.11.0,true,user,user.target.group.domain,keyword,extended,,,Name of the directory the group is a member of. +8.11.0,true,user,user.target.group.id,keyword,extended,,,Unique identifier for the group on the system/platform. +8.11.0,true,user,user.target.group.name,keyword,extended,,,Name of the group. +8.11.0,true,user,user.target.hash,keyword,extended,,,Unique user hash to correlate information for a user in anonymized form. +8.11.0,true,user,user.target.id,keyword,core,,S-1-5-21-202424912787-2692429404-2351956786-1000,Unique identifier of the user. +8.11.0,true,user,user.target.name,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.target.name.text,keyword,core,,a.einstein,Short name or login of the user. +8.11.0,true,user,user.target.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event. +8.11.0,true,user_agent,user_agent.device.name,keyword,extended,,iPhone,Name of the device. +8.11.0,true,user_agent,user_agent.name,keyword,extended,,Safari,Name of the user agent. +8.11.0,true,user_agent,user_agent.original,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +8.11.0,true,user_agent,user_agent.original.text,keyword,extended,,"Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Mobile/15E148 Safari/604.1",Unparsed user_agent string. +8.11.0,true,user_agent,user_agent.os.family,keyword,extended,,debian,"OS family (such as redhat, debian, freebsd, windows)." +8.11.0,true,user_agent,user_agent.os.full,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,user_agent,user_agent.os.full.text,keyword,extended,,Mac OS Mojave,"Operating system name, including the version or code name." +8.11.0,true,user_agent,user_agent.os.kernel,keyword,extended,,4.4.0-112-generic,Operating system kernel version as a raw string. +8.11.0,true,user_agent,user_agent.os.name,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,user_agent,user_agent.os.name.text,keyword,extended,,Mac OS X,"Operating system name, without the version." +8.11.0,true,user_agent,user_agent.os.platform,keyword,extended,,darwin,"Operating system platform (such centos, ubuntu, windows)." +8.11.0,true,user_agent,user_agent.os.type,keyword,extended,,macos,"Which commercial OS family (one of: linux, macos, unix, windows, ios or android)." +8.11.0,true,user_agent,user_agent.os.version,keyword,extended,,10.14.1,Operating system version as a raw string. +8.11.0,true,user_agent,user_agent.version,keyword,extended,,12.0,Version of the user agent. +8.11.0,true,vulnerability,vulnerability.category,keyword,extended,array,"[""Firewall""]",Category of a vulnerability. +8.11.0,true,vulnerability,vulnerability.classification,keyword,extended,,CVSS,Classification of the vulnerability. +8.11.0,true,vulnerability,vulnerability.description,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +8.11.0,true,vulnerability,vulnerability.description.text,keyword,extended,,"In macOS before 2.12.6, there is a vulnerability in the RPC...",Description of the vulnerability. +8.11.0,true,vulnerability,vulnerability.enumeration,keyword,extended,,CVE,Identifier of the vulnerability. +8.11.0,true,vulnerability,vulnerability.id,keyword,extended,,CVE-2019-00001,ID of the vulnerability. +8.11.0,true,vulnerability,vulnerability.reference,keyword,extended,,https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6111,Reference of the vulnerability. +8.11.0,true,vulnerability,vulnerability.report_id,keyword,extended,,20191018.0001,Scan identification number. +8.11.0,true,vulnerability,vulnerability.scanner.reference,keyword,custom,,https://www.example.com/vulnerability/12345,"Scanner's resource that provides additional information, context, and mitigations for the identified vulnerability." +8.11.0,true,vulnerability,vulnerability.scanner.vendor,keyword,extended,,Tenable,Name of the scanner vendor. +8.11.0,true,vulnerability,vulnerability.score.base,float,extended,,5.5,Vulnerability Base score. +8.11.0,true,vulnerability,vulnerability.score.environmental,float,extended,,5.5,Vulnerability Environmental score. +8.11.0,true,vulnerability,vulnerability.score.temporal,float,extended,,,Vulnerability Temporal score. +8.11.0,true,vulnerability,vulnerability.score.version,keyword,extended,,2.0,CVSS version. +8.11.0,true,vulnerability,vulnerability.severity,keyword,extended,,Critical,Severity of the vulnerability. +8.11.0,true,wazuh,wazuh.cluster.name,keyword,custom,,wazuh-cluster-1,Wazuh cluster name. +8.11.0,true,wazuh,wazuh.cluster.node,keyword,custom,,wazuh-cluster-node-1,Wazuh cluster node name. +8.11.0,true,wazuh,wazuh.decoders,keyword,custom,"a, r, r, a, y","[ 'decoder-1', 'decoder-2' ]",Wazuh decoders that matched on this event. +8.11.0,true,wazuh,wazuh.rules,keyword,custom,"a, r, r, a, y","[ 'rule-1', 'rule-2' ]",Wazuh rules that matched on this event. +8.11.0,true,wazuh,wazuh.schema.version,keyword,custom,,1.7.0,Wazuh schema version. diff --git a/ecs/stateless/event-generator/event_generator.py b/ecs/stateless/event-generator/event_generator.py new file mode 100644 index 00000000..dffd7674 --- /dev/null +++ b/ecs/stateless/event-generator/event_generator.py @@ -0,0 +1,164 @@ +#!/bin/python3 + +import argparse +import datetime +import json +import logging +import random +import requests +import urllib3 + +# Constants and Configuration +LOG_FILE = "generate_data.log" +GENERATED_DATA_FILE = "generatedData.json" +DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" +# Default values +INDEX_NAME = "wazuh-alerts-5.x-000001" +USERNAME = "admin" +PASSWORD = "admin" +IP = "127.0.0.1" +PORT = "9200" + +# Configure logging +logging.basicConfig(level=logging.INFO) + +# Suppress warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +def generate_random_data(number): + data = [] + for _ in range(number): + event_data = { + "@timestamp": generate_random_date(), + "agent": generate_random_agent(), + 'policy': generate_random_policy(), + 'check': generate_random_check(), + "wazuh": generate_random_wazuh(), + } + data.append(event_data) + return data + + +def generate_random_date(): + start_date = datetime.datetime.now() + end_date = start_date - datetime.timedelta(days=10) + random_date = start_date + (end_date - start_date) * random.random() + return random_date.strftime(DATE_FORMAT) + + +def generate_random_agent(): + return { + "id": f"{random.randint(0, 99):03d}", + "name": f"Agent{random.randint(0, 99)}", + "version": f"v{random.randint(0, 9)}-stable", + "host": generate_random_host(), + } + + +def generate_random_host(): + return { + "architecture": random.choice(["x86_64", "arm64"]), + "ip": f"{random.randint(1, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}.{random.randint(0, 255)}", + } + +def generate_random_policy(): + policy = { + 'id': f'policy{random.randint(0, 999)}', + 'name': f'Policy {random.randint(0, 999)}', + 'file': f'policy{random.randint(0, 999)}.yml', + 'description': 'Generated policy description.', + 'references': [f'https://example.com/policy{random.randint(0, 999)}'] + } + return policy + +def generate_random_check(): + check = { + 'id': f'check{random.randint(0, 9999)}', + 'name': 'Check Example', + 'description': 'Generated check description.', + 'rationale': 'Generated rationale.', + 'remediation': 'Generated remediation.', + 'references': [f'https://example.com/check{random.randint(0, 9999)}'], + 'condition': 'all', + 'compliance': [f'cis:{random.randint(1, 10)}.{random.randint(1, 10)}.{random.randint(1, 10)}'], + 'rules': [f'Rule {random.randint(1, 100)}', f'Rule {random.randint(1, 100)}'], + 'result': 'pass', + 'reason': 'Randomly passed.' + } + return check + +def generate_random_wazuh(): + return { + "decoders": [f"decoder-{random.randint(0, 5)}" for _ in range(random.randint(1, 3))], + "rules": [f"rule-{random.randint(0, 5)}" for _ in range(random.randint(1, 3))], + "cluster": { + "name": f"wazuh-cluster-{random.randint(0, 10)}", + "node": f"wazuh-cluster-node-{random.randint(0, 10)}", + }, + "schema": {"version": "1.7.0"}, + } + +def inject_events(data, ip, port, username, password, index, protocol): + url = f"{protocol}://{ip}:{port}/{index}/_doc" + session = requests.Session() + session.auth = (username, password) + session.verify = False + headers = {"Content-Type": "application/json"} + + try: + for event_data in data: + response = session.post(url, json=event_data, headers=headers) + if response.status_code != 201: + logging.error(f"Error: {response.status_code}") + logging.error(response.text) + break + logging.info("Data injection completed successfully.") + except Exception as e: + logging.error(f"Error: {str(e)}") + + +def main(): + parser = argparse.ArgumentParser( + description="Generate and optionally inject documents into a Wazuh Indexer cluster." + ) + parser.add_argument( + "--protocol", + choices=['http', 'https'], + default='https', + help="Specify the protocol to use: http or https. Default is 'https'." + ) + args = parser.parse_args() + + try: + number = int(input("How many events do you want to generate? ")) + except ValueError: + logging.error("Invalid input. Please enter a valid number.") + return + + logging.info(f"Generating {number} events...") + data = generate_random_data(number) + + with open(GENERATED_DATA_FILE, "a") as outfile: + for event_data in data: + json.dump(event_data, outfile) + outfile.write("\n") + + logging.info("Data generation completed.") + + inject = ( + input("Do you want to inject the generated data into your indexer? (y/n) ") + .strip() + .lower() + ) + if inject == "y": + ip = input(f"Enter the IP of your Indexer (default: '{IP}'): ") or IP + port = input(f"Enter the port of your Indexer (default: '{PORT}'): ") or PORT + index = input(f"Enter the index name (default: '{INDEX_NAME}'): ") or INDEX_NAME + username = input(f"Username (default: '{USERNAME}'): ") or USERNAME + password = input(f"Password (default: '{PASSWORD}'): ") or PASSWORD + inject_events(data, ip, port, username, password, index, args.protocol) + + +if __name__ == "__main__": + main() diff --git a/ecs/stateless/fields/custom/agent.yml b/ecs/stateless/fields/custom/agent.yml new file mode 100644 index 00000000..576c7d10 --- /dev/null +++ b/ecs/stateless/fields/custom/agent.yml @@ -0,0 +1,15 @@ +--- +- name: agent + title: Wazuh Agents + short: Wazuh Inc. custom fields. + type: group + group: 2 + fields: + - name: groups + type: keyword + level: custom + description: > + List of groups the agent belongs to. + normalize: + - array + example: "[\"group1\", \"group2\"]" diff --git a/ecs/stateless/fields/custom/check.yml b/ecs/stateless/fields/custom/check.yml new file mode 100644 index 00000000..8aacd0b8 --- /dev/null +++ b/ecs/stateless/fields/custom/check.yml @@ -0,0 +1,99 @@ +--- +- name: check + title: SCA policy check + description: > + Custom fields for SCA policy check. + type: group + group: 2 + fields: + - name: id + type: keyword + level: custom + description: The ID of the SCA policy check. + example: "26000" + - name: name + type: keyword + level: custom + description: The name of the SCA policy check. + example: "Ensure 'Enforce password history' is set to '24 or more password(s)'." + - name: description + type: keyword + level: custom + description: Extended description of the check. + example: > + "The password history setting determines the number of unique new passwords a user must use before an old password can be reused." + - name: rationale + type: keyword + level: custom + description: The reason for the check. Why it is important. + example: > + "The longer a user uses the same password, the more likely it is that the password will be compromised." + - name: remediation + type: keyword + level: custom + description: Actions to take to remediate the check. + example: > + "To establish the recommended configuration, set the following registry value to 24 or more password(s):" + - name: references + type: keyword + level: custom + short: References for the check. + description: > + References for the check. This can include links to documentation, articles, or other resources that provide additional information about the check, such as Common Configuration Enumeration (CCE). + + Note: this field should contain an array of values. + normalize: + - array + example: '["https://workbench.cisecurity.org"]' + - name: condition + type: keyword + level: custom + short: Relationship between the rules. + description: > + Describes the relationship between the rules. This field indicates how the rules should be evaluated to determine the overall result of the check. + + The allowed values are: + - `all`: All rules must be satisfied. + - `any`: Any of the rules is sufficient. + - `none`: None of the rules must be satisfied. + example: "all" + - name: compliance + type: keyword + level: custom + short: CIS compliance standard. + description: > + CIS compliance standard under which the check is defined. This field indicates the specific compliance standard that the check is associated with, such as CIS benchmarks or other compliance frameworks. + + Note: this field should contain an array of values. + normalize: + - array + example: '["cis:1.1.1","cis_csc:5.2"]' + - name: rules + type: keyword + level: custom + short: Rules to be evaluated. + description: > + Expression to be evaluated. This field contains the specific rules or expressions that need to be evaluated to determine the result of the check. The rules are typically defined using a specific syntax or format that allows for logical comparisons and evaluations. + The rules can include various conditions, operators, and values that are used to assess the compliance status of the system or configuration being checked. + + Note: this field should contain an array of values. + normalize: + - array + example: > + "[\"c:net.exe accounts -> n:Maximum password age \(days\):\s+(\d+) compare > 0\"," > + "\"c:net.exe accounts -> n:Length of password history maintained:\s+(\d+) compare >= 24\"]" + - name: result + type: keyword + level: custom + short: Result of the check. + description: > + The result of the check. This field indicates whether the check passed or failed based on the evaluation of the rules. The result is typically represented as a boolean value, where "passed" indicates that the check was successful and "failed" indicates that the check did not meet the specified criteria. + example: "failed" + - name: reason + type: keyword + level: custom + short: Reason for the check result. + description: > + The reason for the check result. This field provides additional information or context about the result of the check. It may include details about why the check passed or failed, any specific conditions that were not met, or any other relevant information that helps to understand the outcome of the check. + example: > + "The password history setting is not set to 24 or more password(s)." diff --git a/ecs/stateless/fields/custom/event.yml b/ecs/stateless/fields/custom/event.yml new file mode 100644 index 00000000..1af03327 --- /dev/null +++ b/ecs/stateless/fields/custom/event.yml @@ -0,0 +1,21 @@ +--- +- name: event + title: Context information about the log or metric event itself + short: Context information about the log or metric event itself + type: group + group: 2 + fields: + - name: changed_fields + type: keyword + level: custom + description: > + Fields that were updated since last scan. + normalize: + - array + example: "[\"foo\", \"bar\"]" + - name: collector + type: keyword + level: custom + description: > + Collector used to retrieve the event. + example: file diff --git a/ecs/stateless/fields/custom/host.yml b/ecs/stateless/fields/custom/host.yml new file mode 100644 index 00000000..4ab9a979 --- /dev/null +++ b/ecs/stateless/fields/custom/host.yml @@ -0,0 +1,97 @@ +--- +- name: host + reusable: + top_level: true + expected: + - { at: agent, as: host } + fields: + - name: memory + description: > + Memory-related data. + type: object + level: custom + example: "\"total\": 100000, \"free\": 90000, \"used\": {\"percentage\": 10}" + - name: memory.total + description: > + Total memory in MB. + type: long + level: custom + example: 1024 + - name: memory.free + description: > + Free memory in MB. + type: long + level: custom + example: 1024 + - name: memory.used + description: > + Used memory-related data. + type: object + level: custom + example: "\"percentage\": 10" + - name: memory.used.percentage + description: > + Used memory percentage. + type: long + level: custom + example: 10 + - name: cpu + description: > + CPU-related data. + type: object + level: custom + example: "\"name\": \"Intel(R) Core(TM) i7-7700HQ CPU\", \"cores\": 4, \"speed\": 2800" + - name: cpu.name + description: > + CPU Model name. + type: keyword + level: custom + example: "Intel(R) Core(TM) i7-7700HQ CPU" + - name: cpu.cores + description: > + Number of CPU cores. + type: long + level: custom + example: 4 + - name: cpu.speed + description: > + CPU clock speed. + type: long + level: custom + example: 2800 + - name: network.ingress.queue + type: long + level: custom + description: > + Receive queue length. + example: 10 + - name: network.egress.queue + type: long + level: custom + description: > + Transmit queue length. + example: 10 + - name: network.egress.drops + type: long + level: custom + description: > + Number of dropped transmitted packets. + example: 10 + - name: network.egress.errors + type: long + level: custom + description: > + Number of transmission errors. + example: 10 + - name: network.ingress.drops + type: long + level: custom + description: > + Number of dropped received packets. + example: 10 + - name: network.ingress.errors + type: long + level: custom + description: > + Number of reception errors. + example: 10 diff --git a/ecs/stateless/fields/custom/interface.yml b/ecs/stateless/fields/custom/interface.yml new file mode 100644 index 00000000..fe0183b8 --- /dev/null +++ b/ecs/stateless/fields/custom/interface.yml @@ -0,0 +1,30 @@ +--- +- name: interface + reusable: + top_level: true + expected: + - { at: observer.egress.interface, as: observer.ingress.interface } + title: Interface + type: group + group: 2 + description: > + Network interface related data. + fields: + - name: mtu + type: long + level: custom + description: > + Maximum transmission unit size. + example: 1500 + - name: state + type: keyword + level: custom + description: > + State of the network interface. + example: "up" + - name: type + type: keyword + level: custom + description: > + Interface type. + example: "ethernet" diff --git a/ecs/stateless/fields/custom/network.yml b/ecs/stateless/fields/custom/network.yml new file mode 100644 index 00000000..6f7b9b25 --- /dev/null +++ b/ecs/stateless/fields/custom/network.yml @@ -0,0 +1,38 @@ +--- +- name: network + title: Network + type: group + group: 2 + description: > + Network related data. + fields: + - name: broadcast + type: ip + level: custom + description: > + Broadcast address. + example: "192.168.0.255" + - name: dhcp + type: keyword + level: custom + description: > + DHCP status (enabled, disabled, unknown, BOOTP). + example: "enabled" + - name: gateway + type: ip + level: custom + description: > + Gateway address. + example: "192.168.0.1" + - name: metric + type: long + level: custom + description: > + Metric of the network protocol. + example: 15 + - name: netmask + type: ip + level: custom + description: > + Network mask + example: "255.255.255.0" diff --git a/ecs/stateless/fields/custom/os.yml b/ecs/stateless/fields/custom/os.yml new file mode 100644 index 00000000..0181d44d --- /dev/null +++ b/ecs/stateless/fields/custom/os.yml @@ -0,0 +1,6 @@ +--- +- name: os + reusable: + top_level: false + expected: + - agent.host diff --git a/ecs/stateless/fields/custom/policy.yml b/ecs/stateless/fields/custom/policy.yml new file mode 100644 index 00000000..e0ba71d7 --- /dev/null +++ b/ecs/stateless/fields/custom/policy.yml @@ -0,0 +1,40 @@ +--- +- name: policy + title: SCA policies + description: > + Custom fields for SCA policies. + type: group + group: 2 + fields: + - name: id + type: keyword + level: custom + description: The ID of the SCA policy. + example: "cis_win11_enterprise_21H2" + - name: name + type: keyword + level: custom + description: The name of the SCA policy. + example: "CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0" + - name: file + type: keyword + level: custom + description: The file name of the SCA policy. + example: "cis_win11_enterprise.yml" + - name: description + type: keyword + level: custom + description: Extended description of the policy. + example: > + "The CIS Microsoft Windows 11 Enterprise Benchmark v1.0.0 is a comprehensive security configuration guide that provides prescriptive guidance for establishing a secure baseline configuration for Microsoft Windows 11 Enterprise." + - name: references + type: keyword + level: custom + short: References for the policy. + description: > + References for the policy. This can include links to documentation, articles, or other resources that provide additional information about the policy, such as Common Configuration Enumeration (CCE). + + Note: this field should contain an array of values. + normalize: + - array + example: '["https://www.cisecurity.org/cis-benchmarks/"]' diff --git a/ecs/stateless/fields/custom/risk.yml b/ecs/stateless/fields/custom/risk.yml new file mode 100644 index 00000000..599a04a4 --- /dev/null +++ b/ecs/stateless/fields/custom/risk.yml @@ -0,0 +1,6 @@ +--- +- name: risk + reusable: + top_level: false + expected: + - agent.host diff --git a/ecs/stateless/fields/custom/vulnerability.yml b/ecs/stateless/fields/custom/vulnerability.yml new file mode 100644 index 00000000..0a604411 --- /dev/null +++ b/ecs/stateless/fields/custom/vulnerability.yml @@ -0,0 +1,15 @@ +- name: vulnerability + title: Vulnerability + group: 2 + short: Fields to describe the vulnerability relevant to an event. + description: > + The vulnerability fields describe information about a vulnerability that is + relevant to an event. + type: group + fields: + - name: scanner.reference + type: keyword + level: custom + description: > + Scanner's resource that provides additional information, context, and mitigations for the identified vulnerability. + example: "https://www.example.com/vulnerability/12345" diff --git a/ecs/stateless/fields/custom/wazuh.yml b/ecs/stateless/fields/custom/wazuh.yml new file mode 100644 index 00000000..f45ba6c2 --- /dev/null +++ b/ecs/stateless/fields/custom/wazuh.yml @@ -0,0 +1,38 @@ +--- +- name: wazuh + title: Wazuh + description: > + Wazuh Inc. custom fields + fields: + - name: decoders + type: keyword + level: custom + normalize: array + description: > + Wazuh decoders that matched on this event. + example: "[ 'decoder-1', 'decoder-2' ]" + - name: rules + type: keyword + level: custom + normalize: array + description: > + Wazuh rules that matched on this event. + example: "[ 'rule-1', 'rule-2' ]" + - name: cluster.name + type: keyword + level: custom + description: > + Wazuh cluster name. + example: "wazuh-cluster-1" + - name: cluster.node + type: keyword + level: custom + description: > + Wazuh cluster node name. + example: "wazuh-cluster-node-1" + - name: schema.version + type: keyword + level: custom + description: > + Wazuh schema version. + example: "1.7.0" diff --git a/ecs/stateless/fields/mapping-settings.json b/ecs/stateless/fields/mapping-settings.json new file mode 100644 index 00000000..e3d8e07b --- /dev/null +++ b/ecs/stateless/fields/mapping-settings.json @@ -0,0 +1,4 @@ +{ + "dynamic": "false", + "date_detection": false +} diff --git a/ecs/stateless/fields/subset.yml b/ecs/stateless/fields/subset.yml new file mode 100644 index 00000000..8498b786 --- /dev/null +++ b/ecs/stateless/fields/subset.yml @@ -0,0 +1,602 @@ +--- +name: wazuh-alerts +fields: + base: + fields: "*" + agent: + fields: "*" + as: + fields: "*" + client: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + cloud: + fields: "*" + code_signature: + fields: "*" + container: + fields: "*" + data_stream: + fields: "*" + destination: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + device: + fields: "*" + dll: + fields: "*" + dns: + fields: "*" + ecs: + fields: "*" + elf: + fields: "*" + email: + fields: "*" + error: + fields: "*" + event: + fields: "*" + faas: + fields: "*" + file: + fields: "*" + geo: + fields: "*" + group: + fields: "*" + hash: + fields: "*" + host: + fields: "*" + http: + fields: "*" + interface: + fields: "*" + log: + fields: "*" + macho: + fields: "*" + network: + fields: "*" + observer: + fields: "*" + orchestrator: + fields: "*" + organization: + fields: "*" + os: + fields: "*" + package: + fields: "*" + pe: + fields: "*" + process: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + entry_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + entry_meta: + fields: + type: {} + source: + fields: + ip: {} + executable: {} + interactive: {} + name: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + attested_user: + fields: + id: {} + name: {} + attested_groups: + fields: + name: {} + entry_meta: + fields: + type: + docs_only: True + env_vars: {} + executable: {} + exit_code: {} + group_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + hash: + fields: "*" + interactive: {} + io: + fields: "*" + macho: + fields: "*" + name: {} + parent: + fields: + args: {} + args_count: {} + code_signature: + fields: "*" + command_line: {} + elf: + fields: "*" + end: {} + entity_id: {} + executable: {} + exit_code: {} + group_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + hash: + fields: "*" + interactive: {} + macho: + fields: "*" + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + start: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + uptime: {} + working_directory: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + pe: + fields: "*" + pgid: {} + pid: {} + vpid: {} + previous: + fields: + args: {} + args_count: {} + executable: {} + real_group: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + same_as_process: + docs_only: True + saved_group: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + start: {} + supplemental_groups: + fields: + id: {} + name: {} + session_leader: + fields: + args: {} + args_count: {} + command_line: {} + entity_id: {} + executable: {} + interactive: {} + name: {} + pid: {} + vpid: {} + same_as_process: {} + start: {} + tty: + fields: + char_device: + fields: + major: {} + minor: {} + working_directory: {} + parent: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + session_leader: + fields: + entity_id: {} + pid: {} + vpid: {} + start: {} + user: + fields: + id: {} + name: {} + real_user: + fields: + id: {} + name: {} + saved_user: + fields: + id: {} + name: {} + group: + fields: + id: {} + name: {} + real_group: + fields: + id: {} + name: {} + saved_group: + fields: + id: {} + name: {} + supplemental_groups: + fields: + id: {} + name: {} + thread: + fields: + id: {} + name: {} + capabilities: + fields: + effective: {} + permitted: {} + title: {} + tty: + fields: "*" + uptime: {} + user: + fields: + id: {} + name: {} + working_directory: {} + registry: + fields: "*" + related: + fields: "*" + risk: + fields: "*" + rule: + fields: "*" + server: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + service: + fields: "*" + source: + fields: + address: {} + as: + fields: "*" + bytes: {} + domain: {} + geo: + fields: "*" + ip: {} + mac: {} + nat: + fields: + ip: {} + port: {} + packets: {} + port: {} + subdomain: {} + registered_domain: {} + top_level_domain: {} + user: + fields: + domain: {} + email: {} + full_name: {} + group: + fields: "*" + hash: {} + id: {} + name: {} + roles: {} + threat: + fields: "*" + tls: + fields: "*" + tracing: + fields: "*" + url: + fields: "*" + user_agent: + fields: "*" + user: + fields: + changes: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + domain: {} + effective: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + risk: + fields: "*" + roles: {} + target: + fields: + domain: {} + email: {} + group: + fields: "*" + full_name: {} + hash: {} + id: {} + name: {} + roles: {} + vlan: + fields: "*" + vulnerability: + fields: "*" + x509: + fields: "*" + wazuh: + fields: "*" + check: + fields: "*" + policy: + fields: "*" diff --git a/ecs/stateless/fields/template-settings-legacy.json b/ecs/stateless/fields/template-settings-legacy.json new file mode 100644 index 00000000..2a4f5c05 --- /dev/null +++ b/ecs/stateless/fields/template-settings-legacy.json @@ -0,0 +1,24 @@ +{ + "index_patterns": ["wazuh-alerts-5.x-*"], + "order": 1, + "settings": { + "plugins.index_state_management.rollover_alias": "wazuh-alerts", + "mapping.total_fields.limit": 2500, + "index": { + "number_of_shards": "3", + "number_of_replicas": "0", + "auto_expand_replicas": "0-1", + "refresh_interval": "2s", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ] + } + } +} diff --git a/ecs/stateless/fields/template-settings.json b/ecs/stateless/fields/template-settings.json new file mode 100644 index 00000000..ef38ccf6 --- /dev/null +++ b/ecs/stateless/fields/template-settings.json @@ -0,0 +1,26 @@ +{ + "index_patterns": ["wazuh-alerts-5.x-*"], + "priority": 1, + "template": { + "settings": { + "plugins.index_state_management.rollover_alias": "wazuh-alerts", + "mapping.total_fields.limit": 2500, + "index": { + "number_of_shards": "3", + "number_of_replicas": "0", + "auto_expand_replicas": "0-1", + "refresh_interval": "2s", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ] + } + } + } +} diff --git a/plugins/setup/src/main/resources/index-template-alerts.json b/plugins/setup/src/main/resources/index-template-alerts.json index 7b0fc2d5..1c407a0f 100644 --- a/plugins/setup/src/main/resources/index-template-alerts.json +++ b/plugins/setup/src/main/resources/index-template-alerts.json @@ -1,1951 +1,2352 @@ { - "order": 0, "index_patterns": [ "wazuh-alerts-5.x-*" ], - "settings": { - "plugins.index_state_management.rollover_alias": "wazuh-alerts", - "index.refresh_interval": "5s", - "index.number_of_shards": "1", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.cis.group", - "data.cis.rule_title", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.from", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.gcp.jsonPayload.queryName", - "data.gcp.jsonPayload.vmInstanceName", - "data.gcp.resource.labels.location", - "data.gcp.resource.labels.project_id", - "data.gcp.resource.labels.source_type", - "data.gcp.resource.type", - "data.github.org", - "data.github.actor", - "data.github.action", - "data.github.repo", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.office365.Actor.ID", - "data.office365.UserId", - "data.office365.Operation", - "data.office365.ClientIP", - "data.ms-graph.relationship", - "data.ms-graph.classification", - "data.ms-graph.detectionSource", - "data.ms-graph.determination", - "data.ms-graph.remediationStatus", - "data.ms-graph.roles", - "data.ms-graph.verdict", - "data.ms-graph.serviceSource", - "data.ms-graph.severity", - "data.ms-graph.actorDisplayName", - "data.ms-graph.alertWebUrl", - "data.ms-graph.assignedTo", - "data.ms-graph.category", - "data.ms-graph.comments", - "data.ms-graph.description", - "data.ms-graph.detectorId", - "data.ms-graph.evidence._comment", - "data.ms-graph.id", - "data.ms-graph.incidentId", - "data.ms-graph.incidentWebUrl", - "data.ms-graph.mitreTechniques", - "data.ms-graph.providerAlertId", - "data.ms-graph.resource", - "data.ms-graph.status", - "data.ms-graph.tenantId", - "data.ms-graph.threatDisplayName", - "data.ms-graph.threatFamilyName", - "data.ms-graph.title", - "data.ms-graph.@odata.type", - "data.ms-graph.activationLockBypassCode", - "data.ms-graph.activity", - "data.ms-graph.activityOperationType", - "data.ms-graph.activityResult", - "data.ms-graph.activityType", - "data.ms-graph.actor.@odata.type", - "data.ms-graph.actor.applicationDisplayName", - "data.ms-graph.actor.applicationId", - "data.ms-graph.actor.auditActorType", - "data.ms-graph.actor.ipAddress", - "data.ms-graph.actor.servicePrincipalName", - "data.ms-graph.actor.type", - "data.ms-graph.actor.userId", - "data.ms-graph.actor.userPermissions", - "data.ms-graph.actor.userPrincipalName", - "data.ms-graph.androidSecurityPatchLevel", - "data.ms-graph.appliedConditionalAccessPolicies", - "data.ms-graph.azureADDeviceId", - "data.ms-graph.azureADRegistered", - "data.ms-graph.complianceState", - "data.ms-graph.componentName", - "data.ms-graph.configurationManagerClientEnabledFeatures.@odata.type", - "data.ms-graph.configurationManagerClientEnabledFeatures.compliancePolicy", - "data.ms-graph.configurationManagerClientEnabledFeatures.deviceConfiguration", - "data.ms-graph.configurationManagerClientEnabledFeatures.inventory", - "data.ms-graph.configurationManagerClientEnabledFeatures.modernApps", - "data.ms-graph.configurationManagerClientEnabledFeatures.resourceAccess", - "data.ms-graph.configurationManagerClientEnabledFeatures.windowsUpdateForBusiness", - "data.ms-graph.correlationId", - "data.ms-graph.deviceActionResults.@odata.type", - "data.ms-graph.deviceActionResults.actionName", - "data.ms-graph.deviceActionResults.actionState", - "data.ms-graph.deviceCategoryDisplayName", - "data.ms-graph.deviceEnrollmentType", - "data.ms-graph.deviceHealthAttestationState.@odata.type", - "data.ms-graph.deviceHealthAttestationState.attestationIdentityKey", - "data.ms-graph.deviceHealthAttestationState.bitLockerStatus", - "data.ms-graph.deviceHealthAttestationState.bootAppSecurityVersion", - "data.ms-graph.deviceHealthAttestationState.bootDebugging", - "data.ms-graph.deviceHealthAttestationState.bootManagerSecurityVersion", - "data.ms-graph.deviceHealthAttestationState.bootManagerVersion", - "data.ms-graph.deviceHealthAttestationState.bootRevisionListInfo", - "data.ms-graph.deviceHealthAttestationState.codeIntegrity", - "data.ms-graph.deviceHealthAttestationState.codeIntegrityCheckVersion", - "data.ms-graph.deviceHealthAttestationState.codeIntegrityPolicy", - "data.ms-graph.deviceHealthAttestationState.contentNamespaceUrl", - "data.ms-graph.deviceHealthAttestationState.contentVersion", - "data.ms-graph.deviceHealthAttestationState.dataExcutionPolicy", - "data.ms-graph.deviceHealthAttestationState.deviceHealthAttestationStatus", - "data.ms-graph.deviceHealthAttestationState.earlyLaunchAntiMalwareDriverProtection", - "data.ms-graph.deviceHealthAttestationState.healthAttestationSupportedStatus", - "data.ms-graph.deviceHealthAttestationState.healthStatusMismatchInfo", - "data.ms-graph.deviceHealthAttestationState.operatingSystemKernelDebugging", - "data.ms-graph.deviceHealthAttestationState.operatingSystemRevListInfo", - "data.ms-graph.deviceHealthAttestationState.pcr0", - "data.ms-graph.deviceHealthAttestationState.pcrHashAlgorithm", - "data.ms-graph.deviceHealthAttestationState.resetCount", - "data.ms-graph.deviceHealthAttestationState.restartCount", - "data.ms-graph.deviceHealthAttestationState.safeMode", - "data.ms-graph.deviceHealthAttestationState.secureBoot", - "data.ms-graph.deviceHealthAttestationState.secureBootConfigurationPolicyFingerPrint", - "data.ms-graph.deviceHealthAttestationState.testSigning", - "data.ms-graph.deviceHealthAttestationState.tpmVersion", - "data.ms-graph.deviceHealthAttestationState.virtualSecureMode", - "data.ms-graph.deviceHealthAttestationState.windowsPE", - "data.ms-graph.deviceName", - "data.ms-graph.deviceRegistrationState", - "data.ms-graph.displayName", - "data.ms-graph.easActivated", - "data.ms-graph.easDeviceId", - "data.ms-graph.emailAddress", - "data.ms-graph.enrollmentProfileName", - "data.ms-graph.ethernetMacAddress", - "data.ms-graph.exchangeAccessState", - "data.ms-graph.exchangeAccessStateReason", - "data.ms-graph.freeStorageSpaceInBytes", - "data.ms-graph.iccid", - "data.ms-graph.imei", - "data.ms-graph.isEncrypted", - "data.ms-graph.isSupervised", - "data.ms-graph.jailBroken", - "data.ms-graph.managedDeviceName", - "data.ms-graph.managedDevices.deviceName", - "data.ms-graph.managedDevices.id", - "data.ms-graph.managedDeviceOwnerType", - "data.ms-graph.managementAgent", - "data.ms-graph.manufacturer", - "data.ms-graph.meid", - "data.ms-graph.model", - "data.ms-graph.notes", - "data.ms-graph.operatingSystem", - "data.ms-graph.osVersion", - "data.ms-graph.partnerReportedThreatState", - "data.ms-graph.phoneNumber", - "data.ms-graph.physicalMemoryInBytes", - "data.ms-graph.platform", - "data.ms-graph.publisher", - "data.ms-graph.remoteAssistanceSessionErrorDetails", - "data.ms-graph.remoteAssistanceSessionUrl", - "data.ms-graph.requireUserEnrollmentApproval", - "data.ms-graph.resources.@odata.type", - "data.ms-graph.resources.auditResourceType", - "data.ms-graph.resources.displayName", - "data.ms-graph.resources.modifiedProperties.@odata.type", - "data.ms-graph.resources.modifiedProperties.displayName", - "data.ms-graph.resources.modifiedProperties.oldValue", - "data.ms-graph.resources.modifiedProperties.newValue", - "data.ms-graph.resources.resourceId", - "data.ms-graph.resources.type", - "data.ms-graph.serialNumber", - "data.ms-graph.sizeInByte", - "data.ms-graph.subscriberCarrier", - "data.ms-graph.totalStorageSpaceInBytes", - "data.ms-graph.udid", - "data.ms-graph.userDisplayName", - "data.ms-graph.userId", - "data.ms-graph.userPrincipalName", - "data.ms-graph.version", - "data.ms-graph.wiFiMacAddress", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.patch", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.display_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.scan_id", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.source", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.status", - "data.vulnerability.title", - "data.vulnerability.assigner", - "data.vulnerability.cve_version", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.mitre.id", - "rule.mitre.tactic", - "rule.mitre.technique", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.mode", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "syscheck.arch", - "syscheck.value_name", - "syscheck.value_type", - "syscheck.changed_attributes", - "title" - ] - }, "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], "date_detection": false, + "dynamic": "false", "properties": { "@timestamp": { "type": "date" }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, "agent": { "properties": { - "ip": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, "type": "keyword" }, "id": { + "ignore_above": 1024, "type": "keyword" }, "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { + "ignore_above": 1024, "type": "keyword" }, - "node": { + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, "type": "keyword" } } }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { + "client": { "properties": { - "area_code": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { "type": "long" }, - "city_name": { + "domain": { + "ignore_above": 1024, "type": "keyword" }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, "type": "keyword" }, - "latitude": { - "type": "double" + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } }, - "location": { - "type": "geo_point" + "packets": { + "type": "long" }, - "longitude": { - "type": "double" + "port": { + "type": "long" }, - "postal_code": { + "registered_domain": { + "ignore_above": 1024, "type": "keyword" }, - "real_region_name": { + "subdomain": { + "ignore_above": 1024, "type": "keyword" }, - "region_name": { + "top_level_domain": { + "ignore_above": 1024, "type": "keyword" }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "keyword" + }, + "namespace": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "keyword" + }, + "stack_trace": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, "timezone": { - "type": "text" + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } } }, "host": { - "type": "keyword" - }, - "syscheck": { "properties": { - "path": { + "architecture": { + "ignore_above": 1024, "type": "keyword" }, - "hard_links": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "tsc": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - }, - "mitre": { + "boot": { "properties": { "id": { - "type": "keyword" - }, - "tactic": { - "type": "keyword" - }, - "technique": { + "ignore_above": 1024, "type": "keyword" } } - } - } - }, - "predecoder": { - "properties": { - "program_name": { + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, "type": "keyword" }, - "timestamp": { - "type": "keyword" + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } }, "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "file": { - "type": "keyword" - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { + "ignore_above": 1024, "type": "keyword" }, "id": { + "ignore_above": 1024, "type": "keyword" }, - "azureSignInStatus": { + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { "properties": { - "additionalDetails": { - "type": "keyword" + "free": { + "type": "long" }, - "errorCode": { - "type": "integer" + "total": { + "type": "long" }, - "failureReason": { - "type": "keyword" + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" } - } + }, + "type": "object" }, - "status": { + "name": { + "ignore_above": 1024, "type": "keyword" }, - "data": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { + "network": { "properties": { - "check": { + "egress": { "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { + "bytes": { "type": "long" }, - "score": { - "type": "double" - } - } - } - } - }, - "office365": { - "properties": { - "Actor": { - "properties": { - "ID": { - "type": "keyword" - } - } - }, - "UserId": { - "type": "keyword" - }, - "Operation": { - "type": "keyword" - }, - "ClientIP": { - "type": "keyword" - }, - "ResultStatus": { - "type": "keyword" - }, - "Subscription": { - "type": "keyword" - } - } - }, - "github": { - "properties": { - "org": { - "type": "keyword" - }, - "actor": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "actor_location": { - "properties": { - "country_code": { - "type": "keyword" - } - } - }, - "repo": { - "type": "keyword" - } - } - }, - "ms-graph": { - "properties": { - "relationship": { - "type": "keyword" - }, - "classification": { - "type": "keyword" - }, - "detectionSource": { - "type": "keyword" - }, - "determination": { - "type": "keyword" - }, - "remediationStatus": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - }, - "verdict": { - "type": "keyword" - }, - "serviceSource": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "actorDisplayName": { - "type": "keyword" - }, - "alertWebUrl": { - "type": "keyword" - }, - "assignedTo": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "comments": { - "type": "keyword" - }, - "createdDateTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "detectorId": { - "type": "keyword" - }, - "evidence": { - "type": "nested", - "properties": { - "_comment": { - "type": "keyword" - } - } - }, - "firstActivityDateTime": { - "type": "date" - }, - "id": { - "type": "keyword" - }, - "incidentId": { - "type": "keyword" - }, - "incidentWebUrl": { - "type": "keyword" - }, - "lastActivityDateTime": { - "type": "date" - }, - "lastUpdateDateTime": { - "type": "date" - }, - "mitreTechniques": { - "type": "keyword" - }, - "providerAlertId": { - "type": "keyword" - }, - "resolvedDateTime": { - "type": "date" - }, - "resource": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "tenantId": { - "type": "keyword" - }, - "threatDisplayName": { - "type": "keyword" - }, - "threatFamilyName": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "@odata.type": { - "type": "keyword" - }, - "activationLockBypassCode": { - "type": "keyword" - }, - "activity": { - "type": "keyword" - }, - "activityDateTime": { - "type": "date" - }, - "activityOperationType": { - "type": "keyword" - }, - "activityResult": { - "type": "keyword" - }, - "activityType": { - "type": "keyword" - }, - "actor": { - "properties": { - "@odata.type": { - "type": "keyword" - }, - "applicationDisplayName": { - "type": "keyword" - }, - "applicationId": { - "type": "keyword" - }, - "auditActorType": { - "type": "keyword" - }, - "ipAddress": { - "type": "keyword" - }, - "servicePrincipalName": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "userId": { - "type": "keyword" - }, - "userPermissions": { - "type": "text" - }, - "userPrincipalName": { - "type": "keyword" - } - } - }, - "androidSecurityPatchLevel": { - "type": "keyword" - }, - "appliedConditionalAccessPolicies": { - "type": "keyword" - }, - "azureADDeviceId": { - "type": "keyword" - }, - "azureADRegistered": { - "type": "keyword" - }, - "complianceGracePeriodExpirationDateTime": { - "type": "date" - }, - "complianceState": { - "type": "keyword" - }, - "componentName": { - "type": "keyword" - }, - "configurationManagerClientEnabledFeatures": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "compliancePolicy": { - "type": "keyword" - }, - "deviceConfiguration": { - "type": "keyword" - }, - "inventory": { - "type": "keyword" - }, - "modernApps": { - "type": "keyword" - }, - "resourceAccess": { - "type": "keyword" - }, - "windowsUpdateForBusiness": { - "type": "keyword" - } - } - }, - "correlationId": { - "type": "keyword" - }, - "deviceActionResults": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "actionName": { - "type": "keyword" - }, - "actionState": { - "type": "keyword" - }, - "lastUpdatedDateTime": { - "type": "date" - }, - "startDateTime": { - "type": "date" - } - } - }, - "deviceCategoryDisplayName": { - "type": "keyword" - }, - "deviceCount": { - "type": "integer" - }, - "deviceEnrollmentType": { - "type": "keyword" - }, - "deviceHealthAttestationState": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "attestationIdentityKey": { - "type": "keyword" - }, - "bitLockerStatus": { - "type": "keyword" - }, - "bootAppSecurityVersion": { - "type": "keyword" - }, - "bootDebugging": { - "type": "keyword" - }, - "bootManagerSecurityVersion": { - "type": "keyword" - }, - "bootManagerVersion": { - "type": "keyword" - }, - "bootRevisionListInfo": { - "type": "keyword" - }, - "codeIntegrity": { - "type": "keyword" - }, - "codeIntegrityCheckVersion": { - "type": "keyword" - }, - "codeIntegrityPolicy": { - "type": "keyword" - }, - "contentNamespaceUrl": { - "type": "keyword" - }, - "contentVersion": { - "type": "keyword" - }, - "dataExcutionPolicy": { - "type": "keyword" - }, - "deviceHealthAttestationStatus": { - "type": "keyword" - }, - "earlyLaunchAntiMalwareDriverProtection": { - "type": "keyword" - }, - "healthAttestationSupportedStatus": { - "type": "keyword" - }, - "healthStatusMismatchInfo": { - "type": "keyword" - }, - "issuedDateTime": { - "type": "date" - }, - "lastUpdateDateTime": { - "type": "date" - }, - "operatingSystemKernelDebugging": { - "type": "keyword" - }, - "operatingSystemRevListInfo": { - "type": "keyword" - }, - "pcr0": { - "type": "keyword" - }, - "pcrHashAlgorithm": { - "type": "keyword" - }, - "resetCount": { - "type": "keyword" - }, - "restartCount": { - "type": "keyword" - }, - "safeMode": { - "type": "keyword" - }, - "secureBoot": { - "type": "keyword" - }, - "secureBootConfigurationPolicyFingerPrint": { - "type": "keyword" - }, - "testSigning": { - "type": "keyword" - }, - "tpmVersion": { - "type": "keyword" - }, - "virtualSecureMode": { - "type": "keyword" - }, - "windowsPE": { - "type": "keyword" - } - } - }, - "deviceName": { - "type": "keyword" - }, - "deviceRegistrationState": { - "type": "keyword" - }, - "displayName": { - "type": "keyword" - }, - "easActivated": { - "type": "keyword" - }, - "easActivationDateTime": { - "type": "date" - }, - "easDeviceId": { - "type": "keyword" - }, - "emailAddress": { - "type": "keyword" - }, - "enrolledDateTime": { - "type": "date" - }, - "enrollmentProfileName": { - "type": "keyword" - }, - "ethernetMacAddress": { - "type": "keyword" - }, - "exchangeAccessState": { - "type": "keyword" - }, - "exchangeAccessStateReason": { - "type": "keyword" - }, - "exchangeLastSuccessfulSyncDateTime": { - "type": "date" - }, - "freeStorageSpaceInBytes": { - "type": "keyword" - }, - "iccid": { - "type": "keyword" - }, - "imei": { - "type": "keyword" - }, - "isEncrypted": { - "type": "keyword" - }, - "isSupervised": { - "type": "keyword" - }, - "jailBroken": { - "type": "keyword" - }, - "lastSyncDateTime": { - "type": "date" - }, - "managedDeviceName": { - "type": "keyword" - }, - "managedDevices": { - "type": "nested", - "properties": { - "deviceName": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - }, - "managedDeviceOwnerType": { - "type": "keyword" - }, - "managementAgent": { - "type": "keyword" - }, - "managementCertificateExpirationDate": { - "type": "date" - }, - "manufacturer": { - "type": "keyword" - }, - "meid": { - "type": "keyword" - }, - "model": { - "type": "keyword" - }, - "notes": { - "type": "keyword" - }, - "operatingSystem": { - "type": "keyword" - }, - "osVersion": { - "type": "keyword" - }, - "partnerReportedThreatState": { - "type": "keyword" - }, - "phoneNumber": { - "type": "keyword" - }, - "physicalMemoryInBytes": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "publisher": { - "type": "keyword" - }, - "remoteAssistanceSessionErrorDetails": { - "type": "keyword" - }, - "remoteAssistanceSessionUrl": { - "type": "keyword" - }, - "requireUserEnrollmentApproval": { - "type": "keyword" - }, - "resources": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "auditResourceType": { - "type": "keyword" - }, - "displayName": { - "type": "keyword" - }, - "modifiedProperties": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "displayName": { - "type": "keyword" - }, - "oldValue": { - "type": "keyword" - }, - "newValue": { - "type": "keyword" - } - } - }, - "resourceId": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "serialNumber": { - "type": "keyword" - }, - "sizeInByte": { - "type": "keyword" - }, - "subscriberCarrier": { - "type": "keyword" - }, - "totalStorageSpaceInBytes": { - "type": "keyword" - }, - "udid": { - "type": "keyword" - }, - "userDisplayName": { - "type": "keyword" - }, - "userId": { - "type": "keyword" - }, - "userPrincipalName": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "wiFiMacAddress": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { + "drops": { "type": "long" }, - "tx_bytes": { + "errors": { "type": "long" }, - "rx_bytes": { + "packets": { "type": "long" }, - "tx_errors": { + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { "type": "long" }, - "rx_errors": { + "drops": { "type": "long" }, - "tx_dropped": { + "errors": { "type": "long" }, - "rx_dropped": { + "packets": { "type": "long" }, - "tx_packets": { + "queue": { "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } } } } @@ -1953,837 +2354,5984 @@ }, "os": { "properties": { - "hostname": { + "family": { + "ignore_above": 1024, "type": "keyword" }, - "architecture": { + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, "type": "keyword" }, "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - }, - "build": { + "ignore_above": 1024, "type": "keyword" }, "platform": { + "ignore_above": 1024, "type": "keyword" }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - }, - "display_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { + "type": { + "ignore_above": 1024, "type": "keyword" }, "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { + "ignore_above": 1024, "type": "keyword" } } }, - "process": { + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { "properties": { - "pid": { - "type": "long" - }, - "name": { + "calculated_level": { + "ignore_above": 1024, "type": "keyword" }, - "state": { + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, "type": "keyword" }, - "ppid": { - "type": "long" + "static_score": { + "type": "float" }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" + "static_score_norm": { + "type": "float" } } }, - "sca": { + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { + "body": { "properties": { - "id": { - "type": "keyword" + "bytes": { + "type": "long" }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { + "content": { + "fields": { + "text": { "type": "keyword" } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { + }, "type": "keyword" } } }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "source": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "updated": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "assigner": { - "type": "keyword" - }, - "cve_version": { - "type": "keyword" - }, - "scanner.reference": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "source": { - "type": "keyword" - }, - "accountId": { - "type": "keyword" - }, - "log_info": { - "properties": { - "s3bucket": { - "type": "keyword" - } - } - }, - "region": { - "type": "keyword" - }, "bytes": { "type": "long" }, - "dstaddr": { - "type": "ip" + "id": { + "ignore_above": 1024, + "type": "keyword" }, - "srcaddr": { - "type": "ip" + "method": { + "ignore_above": 1024, + "type": "keyword" }, - "end": { - "type": "date" + "mime_type": { + "ignore_above": 1024, + "type": "keyword" }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { "properties": { - "count": { + "bytes": { "type": "long" }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - }, - "cis": { - "properties": { - "benchmark": { - "type": "keyword" - }, - "error": { - "type": "long" - }, - "fail": { - "type": "long" - }, - "group": { - "type": "keyword" - }, - "notchecked": { - "type": "long" - }, - "pass": { - "type": "long" - }, - "result": { - "type": "keyword" - }, - "rule_title": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "timestamp": { - "type": "keyword" - }, - "unknown": { - "type": "long" - } - } - }, - "docker": { - "properties": { - "Action": { - "type": "keyword" - }, - "Actor": { - "properties": { - "Attributes": { - "properties": { - "image": { - "type": "keyword" - }, - "name": { + "content": { + "fields": { + "text": { "type": "keyword" } - } - } - } - }, - "from": { - "type": "keyword" - }, - "Type": { - "type": "keyword" - } - } - }, - "gcp": { - "properties": { - "jsonPayload": { - "properties": { - "authAnswer": { - "type": "keyword" - }, - "queryName": { - "type": "keyword" - }, - "responseCode": { - "type": "keyword" - }, - "vmInstanceId": { - "type": "keyword" - }, - "vmInstanceName": { + }, "type": "keyword" } } }, - "resource": { - "properties": { - "labels": { - "properties": { - "location": { - "type": "keyword" - }, - "project_id": { - "type": "keyword" - }, - "source_type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } + "bytes": { + "type": "long" }, - "severity": { + "mime_type": { + "ignore_above": 1024, "type": "keyword" + }, + "status_code": { + "type": "long" } } }, - "osquery": { - "properties": { - "name": { - "type": "keyword" - }, - "pack": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "calendarTime": { - "type": "keyword" - } - } - }, - "parameters": { - "properties": { - "extra_args": { - "type": "keyword" - } - } - }, - "YARA": { - "properties": { - "reference": { - "type": "keyword" - }, - "api_customer": { - "type": "keyword" - }, - "log_type": { - "type": "keyword" - }, - "scanned_file": { - "type": "keyword" - }, - "rule_author": { - "type": "keyword" - }, - "rule_name": { - "type": "keyword" - }, - "rule_description": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { + "version": { + "ignore_above": 1024, "type": "keyword" } } }, - "previous_output": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } } } }, - "version": 1 -} \ No newline at end of file + "order": 1, + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + }, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-alerts" + } +} diff --git a/plugins/setup/src/main/resources/index-template-archives.json b/plugins/setup/src/main/resources/index-template-archives.json index 4e8b3361..2f2e93d4 100644 --- a/plugins/setup/src/main/resources/index-template-archives.json +++ b/plugins/setup/src/main/resources/index-template-archives.json @@ -1,2789 +1,8337 @@ -{ - "order": 0, - "index_patterns": [ - "wazuh-archives-5.x-*" - ], - "settings": { - "plugins.index_state_management.rollover_alias": "wazuh-archives", - "index.refresh_interval": "5s", - "index.number_of_shards": "1", - "index.number_of_replicas": "0", - "index.auto_expand_replicas": "0-1", - "index.mapping.total_fields.limit": 10000, - "index.query.default_field": [ - "GeoLocation.city_name", - "GeoLocation.continent_code", - "GeoLocation.country_code2", - "GeoLocation.country_code3", - "GeoLocation.country_name", - "GeoLocation.ip", - "GeoLocation.postal_code", - "GeoLocation.real_region_name", - "GeoLocation.region_name", - "GeoLocation.timezone", - "agent.id", - "agent.ip", - "agent.name", - "cluster.name", - "cluster.node", - "command", - "data", - "data.action", - "data.audit", - "data.audit.acct", - "data.audit.arch", - "data.audit.auid", - "data.audit.command", - "data.audit.cwd", - "data.audit.dev", - "data.audit.directory.inode", - "data.audit.directory.mode", - "data.audit.directory.name", - "data.audit.egid", - "data.audit.enforcing", - "data.audit.euid", - "data.audit.exe", - "data.audit.execve.a0", - "data.audit.execve.a1", - "data.audit.execve.a2", - "data.audit.execve.a3", - "data.audit.exit", - "data.audit.file.inode", - "data.audit.file.mode", - "data.audit.file.name", - "data.audit.fsgid", - "data.audit.fsuid", - "data.audit.gid", - "data.audit.id", - "data.audit.key", - "data.audit.list", - "data.audit.old-auid", - "data.audit.old-ses", - "data.audit.old_enforcing", - "data.audit.old_prom", - "data.audit.op", - "data.audit.pid", - "data.audit.ppid", - "data.audit.prom", - "data.audit.res", - "data.audit.session", - "data.audit.sgid", - "data.audit.srcip", - "data.audit.subj", - "data.audit.success", - "data.audit.suid", - "data.audit.syscall", - "data.audit.tty", - "data.audit.uid", - "data.aws.accountId", - "data.aws.account_id", - "data.aws.action", - "data.aws.actor", - "data.aws.aws_account_id", - "data.aws.description", - "data.aws.dstport", - "data.aws.errorCode", - "data.aws.errorMessage", - "data.aws.eventID", - "data.aws.eventName", - "data.aws.eventSource", - "data.aws.eventType", - "data.aws.id", - "data.aws.name", - "data.aws.requestParameters.accessKeyId", - "data.aws.requestParameters.bucketName", - "data.aws.requestParameters.gatewayId", - "data.aws.requestParameters.groupDescription", - "data.aws.requestParameters.groupId", - "data.aws.requestParameters.groupName", - "data.aws.requestParameters.host", - "data.aws.requestParameters.hostedZoneId", - "data.aws.requestParameters.instanceId", - "data.aws.requestParameters.instanceProfileName", - "data.aws.requestParameters.loadBalancerName", - "data.aws.requestParameters.loadBalancerPorts", - "data.aws.requestParameters.masterUserPassword", - "data.aws.requestParameters.masterUsername", - "data.aws.requestParameters.name", - "data.aws.requestParameters.natGatewayId", - "data.aws.requestParameters.networkAclId", - "data.aws.requestParameters.path", - "data.aws.requestParameters.policyName", - "data.aws.requestParameters.port", - "data.aws.requestParameters.stackId", - "data.aws.requestParameters.stackName", - "data.aws.requestParameters.subnetId", - "data.aws.requestParameters.subnetIds", - "data.aws.requestParameters.volumeId", - "data.aws.requestParameters.vpcId", - "data.aws.resource.accessKeyDetails.accessKeyId", - "data.aws.resource.accessKeyDetails.principalId", - "data.aws.resource.accessKeyDetails.userName", - "data.aws.resource.instanceDetails.instanceId", - "data.aws.resource.instanceDetails.instanceState", - "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName", - "data.aws.resource.instanceDetails.networkInterfaces.subnetId", - "data.aws.resource.instanceDetails.networkInterfaces.vpcId", - "data.aws.resource.instanceDetails.tags.value", - "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId", - "data.aws.responseElements.description", - "data.aws.responseElements.instanceId", - "data.aws.responseElements.instances.instanceId", - "data.aws.responseElements.instancesSet.items.instanceId", - "data.aws.responseElements.listeners.port", - "data.aws.responseElements.loadBalancerName", - "data.aws.responseElements.loadBalancers.vpcId", - "data.aws.responseElements.loginProfile.userName", - "data.aws.responseElements.networkAcl.vpcId", - "data.aws.responseElements.ownerId", - "data.aws.responseElements.publicIp", - "data.aws.responseElements.user.userId", - "data.aws.responseElements.user.userName", - "data.aws.responseElements.volumeId", - "data.aws.service.serviceName", - "data.aws.severity", - "data.aws.source", - "data.aws.sourceIPAddress", - "data.aws.srcport", - "data.aws.userIdentity.accessKeyId", - "data.aws.userIdentity.accountId", - "data.aws.userIdentity.userName", - "data.aws.vpcEndpointId", - "data.command", - "data.cis.group", - "data.cis.rule_title", - "data.data", - "data.docker.Actor.Attributes.container", - "data.docker.Actor.Attributes.image", - "data.docker.Actor.Attributes.name", - "data.docker.Actor.ID", - "data.docker.id", - "data.docker.from", - "data.docker.message", - "data.docker.status", - "data.dstip", - "data.dstport", - "data.dstuser", - "data.extra_data", - "data.gcp.jsonPayload.queryName", - "data.gcp.jsonPayload.vmInstanceName", - "data.gcp.resource.labels.location", - "data.gcp.resource.labels.project_id", - "data.gcp.resource.labels.source_type", - "data.gcp.resource.type", - "data.github.org", - "data.github.actor", - "data.github.action", - "data.github.repo", - "data.hardware.serial", - "data.id", - "data.integration", - "data.netinfo.iface.adapter", - "data.netinfo.iface.ipv4.address", - "data.netinfo.iface.ipv6.address", - "data.netinfo.iface.mac", - "data.netinfo.iface.name", - "data.office365.Actor.ID", - "data.office365.UserId", - "data.office365.Operation", - "data.office365.ClientIP", - "data.ms-graph.relationship", - "data.ms-graph.classification", - "data.ms-graph.detectionSource", - "data.ms-graph.determination", - "data.ms-graph.remediationStatus", - "data.ms-graph.roles", - "data.ms-graph.verdict", - "data.ms-graph.serviceSource", - "data.ms-graph.severity", - "data.ms-graph.actorDisplayName", - "data.ms-graph.alertWebUrl", - "data.ms-graph.assignedTo", - "data.ms-graph.category", - "data.ms-graph.comments", - "data.ms-graph.description", - "data.ms-graph.detectorId", - "data.ms-graph.evidence._comment", - "data.ms-graph.id", - "data.ms-graph.incidentId", - "data.ms-graph.incidentWebUrl", - "data.ms-graph.mitreTechniques", - "data.ms-graph.providerAlertId", - "data.ms-graph.resource", - "data.ms-graph.status", - "data.ms-graph.tenantId", - "data.ms-graph.threatDisplayName", - "data.ms-graph.threatFamilyName", - "data.ms-graph.title", - "data.ms-graph.@odata.type", - "data.ms-graph.activationLockBypassCode", - "data.ms-graph.activity", - "data.ms-graph.activityOperationType", - "data.ms-graph.activityResult", - "data.ms-graph.activityType", - "data.ms-graph.actor.@odata.type", - "data.ms-graph.actor.applicationDisplayName", - "data.ms-graph.actor.applicationId", - "data.ms-graph.actor.auditActorType", - "data.ms-graph.actor.ipAddress", - "data.ms-graph.actor.servicePrincipalName", - "data.ms-graph.actor.type", - "data.ms-graph.actor.userId", - "data.ms-graph.actor.userPermissions", - "data.ms-graph.actor.userPrincipalName", - "data.ms-graph.androidSecurityPatchLevel", - "data.ms-graph.appliedConditionalAccessPolicies", - "data.ms-graph.azureADDeviceId", - "data.ms-graph.azureADRegistered", - "data.ms-graph.complianceState", - "data.ms-graph.componentName", - "data.ms-graph.configurationManagerClientEnabledFeatures.@odata.type", - "data.ms-graph.configurationManagerClientEnabledFeatures.compliancePolicy", - "data.ms-graph.configurationManagerClientEnabledFeatures.deviceConfiguration", - "data.ms-graph.configurationManagerClientEnabledFeatures.inventory", - "data.ms-graph.configurationManagerClientEnabledFeatures.modernApps", - "data.ms-graph.configurationManagerClientEnabledFeatures.resourceAccess", - "data.ms-graph.configurationManagerClientEnabledFeatures.windowsUpdateForBusiness", - "data.ms-graph.correlationId", - "data.ms-graph.deviceActionResults.@odata.type", - "data.ms-graph.deviceActionResults.actionName", - "data.ms-graph.deviceActionResults.actionState", - "data.ms-graph.deviceCategoryDisplayName", - "data.ms-graph.deviceEnrollmentType", - "data.ms-graph.deviceHealthAttestationState.@odata.type", - "data.ms-graph.deviceHealthAttestationState.attestationIdentityKey", - "data.ms-graph.deviceHealthAttestationState.bitLockerStatus", - "data.ms-graph.deviceHealthAttestationState.bootAppSecurityVersion", - "data.ms-graph.deviceHealthAttestationState.bootDebugging", - "data.ms-graph.deviceHealthAttestationState.bootManagerSecurityVersion", - "data.ms-graph.deviceHealthAttestationState.bootManagerVersion", - "data.ms-graph.deviceHealthAttestationState.bootRevisionListInfo", - "data.ms-graph.deviceHealthAttestationState.codeIntegrity", - "data.ms-graph.deviceHealthAttestationState.codeIntegrityCheckVersion", - "data.ms-graph.deviceHealthAttestationState.codeIntegrityPolicy", - "data.ms-graph.deviceHealthAttestationState.contentNamespaceUrl", - "data.ms-graph.deviceHealthAttestationState.contentVersion", - "data.ms-graph.deviceHealthAttestationState.dataExcutionPolicy", - "data.ms-graph.deviceHealthAttestationState.deviceHealthAttestationStatus", - "data.ms-graph.deviceHealthAttestationState.earlyLaunchAntiMalwareDriverProtection", - "data.ms-graph.deviceHealthAttestationState.healthAttestationSupportedStatus", - "data.ms-graph.deviceHealthAttestationState.healthStatusMismatchInfo", - "data.ms-graph.deviceHealthAttestationState.operatingSystemKernelDebugging", - "data.ms-graph.deviceHealthAttestationState.operatingSystemRevListInfo", - "data.ms-graph.deviceHealthAttestationState.pcr0", - "data.ms-graph.deviceHealthAttestationState.pcrHashAlgorithm", - "data.ms-graph.deviceHealthAttestationState.resetCount", - "data.ms-graph.deviceHealthAttestationState.restartCount", - "data.ms-graph.deviceHealthAttestationState.safeMode", - "data.ms-graph.deviceHealthAttestationState.secureBoot", - "data.ms-graph.deviceHealthAttestationState.secureBootConfigurationPolicyFingerPrint", - "data.ms-graph.deviceHealthAttestationState.testSigning", - "data.ms-graph.deviceHealthAttestationState.tpmVersion", - "data.ms-graph.deviceHealthAttestationState.virtualSecureMode", - "data.ms-graph.deviceHealthAttestationState.windowsPE", - "data.ms-graph.deviceName", - "data.ms-graph.deviceRegistrationState", - "data.ms-graph.displayName", - "data.ms-graph.easActivated", - "data.ms-graph.easDeviceId", - "data.ms-graph.emailAddress", - "data.ms-graph.enrollmentProfileName", - "data.ms-graph.ethernetMacAddress", - "data.ms-graph.exchangeAccessState", - "data.ms-graph.exchangeAccessStateReason", - "data.ms-graph.freeStorageSpaceInBytes", - "data.ms-graph.iccid", - "data.ms-graph.imei", - "data.ms-graph.isEncrypted", - "data.ms-graph.isSupervised", - "data.ms-graph.jailBroken", - "data.ms-graph.managedDeviceName", - "data.ms-graph.managedDevices.deviceName", - "data.ms-graph.managedDevices.id", - "data.ms-graph.managedDeviceOwnerType", - "data.ms-graph.managementAgent", - "data.ms-graph.manufacturer", - "data.ms-graph.meid", - "data.ms-graph.model", - "data.ms-graph.notes", - "data.ms-graph.operatingSystem", - "data.ms-graph.osVersion", - "data.ms-graph.partnerReportedThreatState", - "data.ms-graph.phoneNumber", - "data.ms-graph.physicalMemoryInBytes", - "data.ms-graph.platform", - "data.ms-graph.publisher", - "data.ms-graph.remoteAssistanceSessionErrorDetails", - "data.ms-graph.remoteAssistanceSessionUrl", - "data.ms-graph.requireUserEnrollmentApproval", - "data.ms-graph.resources.@odata.type", - "data.ms-graph.resources.auditResourceType", - "data.ms-graph.resources.displayName", - "data.ms-graph.resources.modifiedProperties.@odata.type", - "data.ms-graph.resources.modifiedProperties.displayName", - "data.ms-graph.resources.modifiedProperties.oldValue", - "data.ms-graph.resources.modifiedProperties.newValue", - "data.ms-graph.resources.resourceId", - "data.ms-graph.resources.type", - "data.ms-graph.serialNumber", - "data.ms-graph.sizeInByte", - "data.ms-graph.subscriberCarrier", - "data.ms-graph.totalStorageSpaceInBytes", - "data.ms-graph.udid", - "data.ms-graph.userDisplayName", - "data.ms-graph.userId", - "data.ms-graph.userPrincipalName", - "data.ms-graph.version", - "data.ms-graph.wiFiMacAddress", - "data.os.architecture", - "data.os.build", - "data.os.codename", - "data.os.hostname", - "data.os.major", - "data.os.minor", - "data.os.patch", - "data.os.name", - "data.os.platform", - "data.os.release", - "data.os.release_version", - "data.os.display_version", - "data.os.sysname", - "data.os.version", - "data.oscap.check.description", - "data.oscap.check.id", - "data.oscap.check.identifiers", - "data.oscap.check.oval.id", - "data.oscap.check.rationale", - "data.oscap.check.references", - "data.oscap.check.result", - "data.oscap.check.severity", - "data.oscap.check.title", - "data.oscap.scan.benchmark.id", - "data.oscap.scan.content", - "data.oscap.scan.id", - "data.oscap.scan.profile.id", - "data.oscap.scan.profile.title", - "data.osquery.columns.address", - "data.osquery.columns.command", - "data.osquery.columns.description", - "data.osquery.columns.dst_ip", - "data.osquery.columns.gid", - "data.osquery.columns.hostname", - "data.osquery.columns.md5", - "data.osquery.columns.path", - "data.osquery.columns.sha1", - "data.osquery.columns.sha256", - "data.osquery.columns.src_ip", - "data.osquery.columns.user", - "data.osquery.columns.username", - "data.osquery.name", - "data.osquery.pack", - "data.port.process", - "data.port.protocol", - "data.port.state", - "data.process.args", - "data.process.cmd", - "data.process.egroup", - "data.process.euser", - "data.process.fgroup", - "data.process.name", - "data.process.rgroup", - "data.process.ruser", - "data.process.sgroup", - "data.process.state", - "data.process.suser", - "data.program.architecture", - "data.program.description", - "data.program.format", - "data.program.location", - "data.program.multiarch", - "data.program.name", - "data.program.priority", - "data.program.section", - "data.program.source", - "data.program.vendor", - "data.program.version", - "data.protocol", - "data.pwd", - "data.sca", - "data.sca.check.compliance.cis", - "data.sca.check.compliance.cis_csc", - "data.sca.check.compliance.pci_dss", - "data.sca.check.compliance.hipaa", - "data.sca.check.compliance.nist_800_53", - "data.sca.check.description", - "data.sca.check.directory", - "data.sca.check.file", - "data.sca.check.id", - "data.sca.check.previous_result", - "data.sca.check.process", - "data.sca.check.rationale", - "data.sca.check.reason", - "data.sca.check.references", - "data.sca.check.registry", - "data.sca.check.remediation", - "data.sca.check.result", - "data.sca.check.title", - "data.sca.description", - "data.sca.file", - "data.sca.invalid", - "data.sca.name", - "data.sca.policy", - "data.sca.policy_id", - "data.sca.scan_id", - "data.sca.total_checks", - "data.scan_id", - "data.script", - "data.src_ip", - "data.src_port", - "data.srcip", - "data.srcport", - "data.srcuser", - "data.status", - "data.system_name", - "data.title", - "data.tty", - "data.uid", - "data.url", - "data.virustotal.description", - "data.virustotal.error", - "data.virustotal.found", - "data.virustotal.permalink", - "data.virustotal.scan_date", - "data.virustotal.sha1", - "data.virustotal.source.alert_id", - "data.virustotal.source.file", - "data.virustotal.source.md5", - "data.virustotal.source.sha1", - "data.vulnerability.cve", - "data.vulnerability.cvss.cvss2.base_score", - "data.vulnerability.cvss.cvss2.exploitability_score", - "data.vulnerability.cvss.cvss2.impact_score", - "data.vulnerability.cvss.cvss2.vector.access_complexity", - "data.vulnerability.cvss.cvss2.vector.attack_vector", - "data.vulnerability.cvss.cvss2.vector.authentication", - "data.vulnerability.cvss.cvss2.vector.availability", - "data.vulnerability.cvss.cvss2.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss2.vector.integrity_impact", - "data.vulnerability.cvss.cvss2.vector.privileges_required", - "data.vulnerability.cvss.cvss2.vector.scope", - "data.vulnerability.cvss.cvss2.vector.user_interaction", - "data.vulnerability.cvss.cvss3.base_score", - "data.vulnerability.cvss.cvss3.exploitability_score", - "data.vulnerability.cvss.cvss3.impact_score", - "data.vulnerability.cvss.cvss3.vector.access_complexity", - "data.vulnerability.cvss.cvss3.vector.attack_vector", - "data.vulnerability.cvss.cvss3.vector.authentication", - "data.vulnerability.cvss.cvss3.vector.availability", - "data.vulnerability.cvss.cvss3.vector.confidentiality_impact", - "data.vulnerability.cvss.cvss3.vector.integrity_impact", - "data.vulnerability.cvss.cvss3.vector.privileges_required", - "data.vulnerability.cvss.cvss3.vector.scope", - "data.vulnerability.cvss.cvss3.vector.user_interaction", - "data.vulnerability.cwe_reference", - "data.vulnerability.package.source", - "data.vulnerability.package.architecture", - "data.vulnerability.package.condition", - "data.vulnerability.package.generated_cpe", - "data.vulnerability.package.name", - "data.vulnerability.package.version", - "data.vulnerability.rationale", - "data.vulnerability.reference", - "data.vulnerability.severity", - "data.vulnerability.status", - "data.vulnerability.title", - "data.vulnerability.assigner", - "data.vulnerability.cve_version", - "data.win.eventdata.auditPolicyChanges", - "data.win.eventdata.auditPolicyChangesId", - "data.win.eventdata.binary", - "data.win.eventdata.category", - "data.win.eventdata.categoryId", - "data.win.eventdata.data", - "data.win.eventdata.image", - "data.win.eventdata.ipAddress", - "data.win.eventdata.ipPort", - "data.win.eventdata.keyName", - "data.win.eventdata.logonGuid", - "data.win.eventdata.logonProcessName", - "data.win.eventdata.operation", - "data.win.eventdata.parentImage", - "data.win.eventdata.processId", - "data.win.eventdata.processName", - "data.win.eventdata.providerName", - "data.win.eventdata.returnCode", - "data.win.eventdata.service", - "data.win.eventdata.status", - "data.win.eventdata.subcategory", - "data.win.eventdata.subcategoryGuid", - "data.win.eventdata.subcategoryId", - "data.win.eventdata.subjectDomainName", - "data.win.eventdata.subjectLogonId", - "data.win.eventdata.subjectUserName", - "data.win.eventdata.subjectUserSid", - "data.win.eventdata.targetDomainName", - "data.win.eventdata.targetLinkedLogonId", - "data.win.eventdata.targetLogonId", - "data.win.eventdata.targetUserName", - "data.win.eventdata.targetUserSid", - "data.win.eventdata.workstationName", - "data.win.system.channel", - "data.win.system.computer", - "data.win.system.eventID", - "data.win.system.eventRecordID", - "data.win.system.eventSourceName", - "data.win.system.keywords", - "data.win.system.level", - "data.win.system.message", - "data.win.system.opcode", - "data.win.system.processID", - "data.win.system.providerGuid", - "data.win.system.providerName", - "data.win.system.securityUserID", - "data.win.system.severityValue", - "data.win.system.userID", - "decoder.ftscomment", - "decoder.name", - "decoder.parent", - "full_log", - "host", - "id", - "input", - "location", - "manager.name", - "message", - "offset", - "predecoder.hostname", - "predecoder.program_name", - "previous_log", - "previous_output", - "program_name", - "rule.cis", - "rule.cve", - "rule.description", - "rule.gdpr", - "rule.gpg13", - "rule.groups", - "rule.id", - "rule.info", - "rule.mitre.id", - "rule.mitre.tactic", - "rule.mitre.technique", - "rule.pci_dss", - "rule.hipaa", - "rule.nist_800_53", - "syscheck.audit.effective_user.id", - "syscheck.audit.effective_user.name", - "syscheck.audit.group.id", - "syscheck.audit.group.name", - "syscheck.audit.login_user.id", - "syscheck.audit.login_user.name", - "syscheck.audit.process.id", - "syscheck.audit.process.name", - "syscheck.audit.process.ppid", - "syscheck.audit.user.id", - "syscheck.audit.user.name", - "syscheck.diff", - "syscheck.event", - "syscheck.gid_after", - "syscheck.gid_before", - "syscheck.gname_after", - "syscheck.gname_before", - "syscheck.inode_after", - "syscheck.inode_before", - "syscheck.md5_after", - "syscheck.md5_before", - "syscheck.path", - "syscheck.mode", - "syscheck.perm_after", - "syscheck.perm_before", - "syscheck.sha1_after", - "syscheck.sha1_before", - "syscheck.sha256_after", - "syscheck.sha256_before", - "syscheck.tags", - "syscheck.uid_after", - "syscheck.uid_before", - "syscheck.uname_after", - "syscheck.uname_before", - "syscheck.arch", - "syscheck.value_name", - "syscheck.value_type", - "syscheck.changed_attributes", - "title" - ] - }, - "mappings": { - "dynamic_templates": [ - { - "string_as_keyword": { - "mapping": { - "type": "keyword" - }, - "match_mapping_type": "string" - } - } - ], - "date_detection": false, - "properties": { - "@timestamp": { - "type": "date" - }, - "timestamp": { - "type": "date", - "format": "date_optional_time||epoch_millis" - }, - "@version": { - "type": "text" - }, - "agent": { - "properties": { - "ip": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "manager": { - "properties": { - "name": { - "type": "keyword" - } - } - }, - "cluster": { - "properties": { - "name": { - "type": "keyword" - }, - "node": { - "type": "keyword" - } - } - }, - "full_log": { - "type": "text" - }, - "previous_log": { - "type": "text" - }, - "GeoLocation": { - "properties": { - "area_code": { - "type": "long" - }, - "city_name": { - "type": "keyword" - }, - "continent_code": { - "type": "text" - }, - "coordinates": { - "type": "double" - }, - "country_code2": { - "type": "text" - }, - "country_code3": { - "type": "text" - }, - "country_name": { - "type": "keyword" - }, - "dma_code": { - "type": "long" - }, - "ip": { - "type": "keyword" - }, - "latitude": { - "type": "double" - }, - "location": { - "type": "geo_point" - }, - "longitude": { - "type": "double" - }, - "postal_code": { - "type": "keyword" - }, - "real_region_name": { - "type": "keyword" - }, - "region_name": { - "type": "keyword" - }, - "timezone": { - "type": "text" - } - } - }, - "host": { - "type": "keyword" - }, - "syscheck": { - "properties": { - "path": { - "type": "keyword" - }, - "hard_links": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "sha1_before": { - "type": "keyword" - }, - "sha1_after": { - "type": "keyword" - }, - "uid_before": { - "type": "keyword" - }, - "uid_after": { - "type": "keyword" - }, - "gid_before": { - "type": "keyword" - }, - "gid_after": { - "type": "keyword" - }, - "perm_before": { - "type": "keyword" - }, - "perm_after": { - "type": "keyword" - }, - "md5_after": { - "type": "keyword" - }, - "md5_before": { - "type": "keyword" - }, - "gname_after": { - "type": "keyword" - }, - "gname_before": { - "type": "keyword" - }, - "inode_after": { - "type": "keyword" - }, - "inode_before": { - "type": "keyword" - }, - "mtime_after": { - "type": "date", - "format": "date_optional_time" - }, - "mtime_before": { - "type": "date", - "format": "date_optional_time" - }, - "uname_after": { - "type": "keyword" - }, - "uname_before": { - "type": "keyword" - }, - "size_before": { - "type": "long" - }, - "size_after": { - "type": "long" - }, - "diff": { - "type": "keyword" - }, - "event": { - "type": "keyword" - }, - "audit": { - "properties": { - "effective_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "group": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "login_user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - } - } - }, - "user": { - "properties": { - "id": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "sha256_after": { - "type": "keyword" - }, - "sha256_before": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - }, - "location": { - "type": "keyword" - }, - "message": { - "type": "text" - }, - "offset": { - "type": "keyword" - }, - "rule": { - "properties": { - "description": { - "type": "keyword" - }, - "groups": { - "type": "keyword" - }, - "level": { - "type": "long" - }, - "tsc": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "cve": { - "type": "keyword" - }, - "info": { - "type": "keyword" - }, - "frequency": { - "type": "long" - }, - "firedtimes": { - "type": "long" - }, - "cis": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "gdpr": { - "type": "keyword" - }, - "gpg13": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - }, - "mail": { - "type": "boolean" - }, - "mitre": { - "properties": { - "id": { - "type": "keyword" - }, - "tactic": { - "type": "keyword" - }, - "technique": { - "type": "keyword" - } - } - } - } - }, - "predecoder": { - "properties": { - "program_name": { - "type": "keyword" - }, - "timestamp": { - "type": "keyword" - }, - "hostname": { - "type": "keyword" - } - } - }, - "decoder": { - "properties": { - "parent": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "ftscomment": { - "type": "keyword" - }, - "fts": { - "type": "long" - }, - "accumulate": { - "type": "long" - } - } - }, - "data": { - "properties": { - "audit": { - "properties": { - "acct": { - "type": "keyword" - }, - "arch": { - "type": "keyword" - }, - "auid": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "cwd": { - "type": "keyword" - }, - "dev": { - "type": "keyword" - }, - "directory": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "egid": { - "type": "keyword" - }, - "enforcing": { - "type": "keyword" - }, - "euid": { - "type": "keyword" - }, - "exe": { - "type": "keyword" - }, - "execve": { - "properties": { - "a0": { - "type": "keyword" - }, - "a1": { - "type": "keyword" - }, - "a2": { - "type": "keyword" - }, - "a3": { - "type": "keyword" - } - } - }, - "exit": { - "type": "keyword" - }, - "file": { - "properties": { - "inode": { - "type": "keyword" - }, - "mode": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - }, - "fsgid": { - "type": "keyword" - }, - "fsuid": { - "type": "keyword" - }, - "gid": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "key": { - "type": "keyword" - }, - "list": { - "type": "keyword" - }, - "old-auid": { - "type": "keyword" - }, - "old-ses": { - "type": "keyword" - }, - "old_enforcing": { - "type": "keyword" - }, - "old_prom": { - "type": "keyword" - }, - "op": { - "type": "keyword" - }, - "pid": { - "type": "keyword" - }, - "ppid": { - "type": "keyword" - }, - "prom": { - "type": "keyword" - }, - "res": { - "type": "keyword" - }, - "session": { - "type": "keyword" - }, - "sgid": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "subj": { - "type": "keyword" - }, - "success": { - "type": "keyword" - }, - "suid": { - "type": "keyword" - }, - "syscall": { - "type": "keyword" - }, - "tty": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - } - } - }, - "file": { - "type": "keyword" - }, - "protocol": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "srcip": { - "type": "keyword" - }, - "dstip": { - "type": "keyword" - }, - "srcport": { - "type": "keyword" - }, - "dstport": { - "type": "keyword" - }, - "srcuser": { - "type": "keyword" - }, - "dstuser": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "azureSignInStatus": { - "properties": { - "additionalDetails": { - "type": "keyword" - }, - "errorCode": { - "type": "integer" - }, - "failureReason": { - "type": "keyword" - } - } - }, - "status": { - "type": "keyword" - }, - "data": { - "type": "keyword" - }, - "extra_data": { - "type": "keyword" - }, - "system_name": { - "type": "keyword" - }, - "url": { - "type": "keyword" - }, - "oscap": { - "properties": { - "check": { - "properties": { - "description": { - "type": "text" - }, - "id": { - "type": "keyword" - }, - "identifiers": { - "type": "text" - }, - "oval": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "rationale": { - "type": "text" - }, - "references": { - "type": "text" - }, - "result": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "scan": { - "properties": { - "benchmark": { - "properties": { - "id": { - "type": "keyword" - } - } - }, - "content": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "profile": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - } - } - }, - "return_code": { - "type": "long" - }, - "score": { - "type": "double" - } - } - } - } - }, - "office365": { - "properties": { - "Actor": { - "properties": { - "ID": { - "type": "keyword" - } - } - }, - "UserId": { - "type": "keyword" - }, - "Operation": { - "type": "keyword" - }, - "ClientIP": { - "type": "keyword" - }, - "ResultStatus": { - "type": "keyword" - }, - "Subscription": { - "type": "keyword" - } - } - }, - "github": { - "properties": { - "org": { - "type": "keyword" - }, - "actor": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "actor_location": { - "properties": { - "country_code": { - "type": "keyword" - } - } - }, - "repo": { - "type": "keyword" - } - } - }, - "ms-graph": { - "properties": { - "relationship": { - "type": "keyword" - }, - "classification": { - "type": "keyword" - }, - "detectionSource": { - "type": "keyword" - }, - "determination": { - "type": "keyword" - }, - "remediationStatus": { - "type": "keyword" - }, - "roles": { - "type": "keyword" - }, - "verdict": { - "type": "keyword" - }, - "serviceSource": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "actorDisplayName": { - "type": "keyword" - }, - "alertWebUrl": { - "type": "keyword" - }, - "assignedTo": { - "type": "keyword" - }, - "category": { - "type": "keyword" - }, - "comments": { - "type": "keyword" - }, - "createdDateTime": { - "type": "date" - }, - "description": { - "type": "text" - }, - "detectorId": { - "type": "keyword" - }, - "evidence": { - "type": "nested", - "properties": { - "_comment": { - "type": "keyword" - } - } - }, - "firstActivityDateTime": { - "type": "date" - }, - "id": { - "type": "keyword" - }, - "incidentId": { - "type": "keyword" - }, - "incidentWebUrl": { - "type": "keyword" - }, - "lastActivityDateTime": { - "type": "date" - }, - "lastUpdateDateTime": { - "type": "date" - }, - "mitreTechniques": { - "type": "keyword" - }, - "providerAlertId": { - "type": "keyword" - }, - "resolvedDateTime": { - "type": "date" - }, - "resource": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "tenantId": { - "type": "keyword" - }, - "threatDisplayName": { - "type": "keyword" - }, - "threatFamilyName": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "@odata.type": { - "type": "keyword" - }, - "activationLockBypassCode": { - "type": "keyword" - }, - "activity": { - "type": "keyword" - }, - "activityDateTime": { - "type": "date" - }, - "activityOperationType": { - "type": "keyword" - }, - "activityResult": { - "type": "keyword" - }, - "activityType": { - "type": "keyword" - }, - "actor": { - "properties": { - "@odata.type": { - "type": "keyword" - }, - "applicationDisplayName": { - "type": "keyword" - }, - "applicationId": { - "type": "keyword" - }, - "auditActorType": { - "type": "keyword" - }, - "ipAddress": { - "type": "keyword" - }, - "servicePrincipalName": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "userId": { - "type": "keyword" - }, - "userPermissions": { - "type": "text" - }, - "userPrincipalName": { - "type": "keyword" - } - } - }, - "androidSecurityPatchLevel": { - "type": "keyword" - }, - "appliedConditionalAccessPolicies": { - "type": "keyword" - }, - "azureADDeviceId": { - "type": "keyword" - }, - "azureADRegistered": { - "type": "keyword" - }, - "complianceGracePeriodExpirationDateTime": { - "type": "date" - }, - "complianceState": { - "type": "keyword" - }, - "componentName": { - "type": "keyword" - }, - "configurationManagerClientEnabledFeatures": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "compliancePolicy": { - "type": "keyword" - }, - "deviceConfiguration": { - "type": "keyword" - }, - "inventory": { - "type": "keyword" - }, - "modernApps": { - "type": "keyword" - }, - "resourceAccess": { - "type": "keyword" - }, - "windowsUpdateForBusiness": { - "type": "keyword" - } - } - }, - "correlationId": { - "type": "keyword" - }, - "deviceActionResults": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "actionName": { - "type": "keyword" - }, - "actionState": { - "type": "keyword" - }, - "lastUpdatedDateTime": { - "type": "date" - }, - "startDateTime": { - "type": "date" - } - } - }, - "deviceCategoryDisplayName": { - "type": "keyword" - }, - "deviceCount": { - "type": "integer" - }, - "deviceEnrollmentType": { - "type": "keyword" - }, - "deviceHealthAttestationState": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "attestationIdentityKey": { - "type": "keyword" - }, - "bitLockerStatus": { - "type": "keyword" - }, - "bootAppSecurityVersion": { - "type": "keyword" - }, - "bootDebugging": { - "type": "keyword" - }, - "bootManagerSecurityVersion": { - "type": "keyword" - }, - "bootManagerVersion": { - "type": "keyword" - }, - "bootRevisionListInfo": { - "type": "keyword" - }, - "codeIntegrity": { - "type": "keyword" - }, - "codeIntegrityCheckVersion": { - "type": "keyword" - }, - "codeIntegrityPolicy": { - "type": "keyword" - }, - "contentNamespaceUrl": { - "type": "keyword" - }, - "contentVersion": { - "type": "keyword" - }, - "dataExcutionPolicy": { - "type": "keyword" - }, - "deviceHealthAttestationStatus": { - "type": "keyword" - }, - "earlyLaunchAntiMalwareDriverProtection": { - "type": "keyword" - }, - "healthAttestationSupportedStatus": { - "type": "keyword" - }, - "healthStatusMismatchInfo": { - "type": "keyword" - }, - "issuedDateTime": { - "type": "date" - }, - "lastUpdateDateTime": { - "type": "date" - }, - "operatingSystemKernelDebugging": { - "type": "keyword" - }, - "operatingSystemRevListInfo": { - "type": "keyword" - }, - "pcr0": { - "type": "keyword" - }, - "pcrHashAlgorithm": { - "type": "keyword" - }, - "resetCount": { - "type": "keyword" - }, - "restartCount": { - "type": "keyword" - }, - "safeMode": { - "type": "keyword" - }, - "secureBoot": { - "type": "keyword" - }, - "secureBootConfigurationPolicyFingerPrint": { - "type": "keyword" - }, - "testSigning": { - "type": "keyword" - }, - "tpmVersion": { - "type": "keyword" - }, - "virtualSecureMode": { - "type": "keyword" - }, - "windowsPE": { - "type": "keyword" - } - } - }, - "deviceName": { - "type": "keyword" - }, - "deviceRegistrationState": { - "type": "keyword" - }, - "displayName": { - "type": "keyword" - }, - "easActivated": { - "type": "keyword" - }, - "easActivationDateTime": { - "type": "date" - }, - "easDeviceId": { - "type": "keyword" - }, - "emailAddress": { - "type": "keyword" - }, - "enrolledDateTime": { - "type": "date" - }, - "enrollmentProfileName": { - "type": "keyword" - }, - "ethernetMacAddress": { - "type": "keyword" - }, - "exchangeAccessState": { - "type": "keyword" - }, - "exchangeAccessStateReason": { - "type": "keyword" - }, - "exchangeLastSuccessfulSyncDateTime": { - "type": "date" - }, - "freeStorageSpaceInBytes": { - "type": "keyword" - }, - "iccid": { - "type": "keyword" - }, - "imei": { - "type": "keyword" - }, - "isEncrypted": { - "type": "keyword" - }, - "isSupervised": { - "type": "keyword" - }, - "jailBroken": { - "type": "keyword" - }, - "lastSyncDateTime": { - "type": "date" - }, - "managedDeviceName": { - "type": "keyword" - }, - "managedDevices": { - "type": "nested", - "properties": { - "deviceName": { - "type": "keyword" - }, - "id": { - "type": "keyword" - } - } - }, - "managedDeviceOwnerType": { - "type": "keyword" - }, - "managementAgent": { - "type": "keyword" - }, - "managementCertificateExpirationDate": { - "type": "date" - }, - "manufacturer": { - "type": "keyword" - }, - "meid": { - "type": "keyword" - }, - "model": { - "type": "keyword" - }, - "notes": { - "type": "keyword" - }, - "operatingSystem": { - "type": "keyword" - }, - "osVersion": { - "type": "keyword" - }, - "partnerReportedThreatState": { - "type": "keyword" - }, - "phoneNumber": { - "type": "keyword" - }, - "physicalMemoryInBytes": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "publisher": { - "type": "keyword" - }, - "remoteAssistanceSessionErrorDetails": { - "type": "keyword" - }, - "remoteAssistanceSessionUrl": { - "type": "keyword" - }, - "requireUserEnrollmentApproval": { - "type": "keyword" - }, - "resources": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "auditResourceType": { - "type": "keyword" - }, - "displayName": { - "type": "keyword" - }, - "modifiedProperties": { - "type": "nested", - "properties": { - "@odata.type": { - "type": "keyword" - }, - "displayName": { - "type": "keyword" - }, - "oldValue": { - "type": "keyword" - }, - "newValue": { - "type": "keyword" - } - } - }, - "resourceId": { - "type": "keyword" - }, - "type": { - "type": "keyword" - } - } - }, - "serialNumber": { - "type": "keyword" - }, - "sizeInByte": { - "type": "keyword" - }, - "subscriberCarrier": { - "type": "keyword" - }, - "totalStorageSpaceInBytes": { - "type": "keyword" - }, - "udid": { - "type": "keyword" - }, - "userDisplayName": { - "type": "keyword" - }, - "userId": { - "type": "keyword" - }, - "userPrincipalName": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "wiFiMacAddress": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - }, - "netinfo": { - "properties": { - "iface": { - "properties": { - "name": { - "type": "keyword" - }, - "mac": { - "type": "keyword" - }, - "adapter": { - "type": "keyword" - }, - "type": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "mtu": { - "type": "long" - }, - "tx_bytes": { - "type": "long" - }, - "rx_bytes": { - "type": "long" - }, - "tx_errors": { - "type": "long" - }, - "rx_errors": { - "type": "long" - }, - "tx_dropped": { - "type": "long" - }, - "rx_dropped": { - "type": "long" - }, - "tx_packets": { - "type": "long" - }, - "rx_packets": { - "type": "long" - }, - "ipv4": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - }, - "ipv6": { - "properties": { - "gateway": { - "type": "keyword" - }, - "dhcp": { - "type": "keyword" - }, - "address": { - "type": "keyword" - }, - "netmask": { - "type": "keyword" - }, - "broadcast": { - "type": "keyword" - }, - "metric": { - "type": "long" - } - } - } - } - } - } - }, - "os": { - "properties": { - "hostname": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "codename": { - "type": "keyword" - }, - "major": { - "type": "keyword" - }, - "minor": { - "type": "keyword" - }, - "patch": { - "type": "keyword" - }, - "build": { - "type": "keyword" - }, - "platform": { - "type": "keyword" - }, - "sysname": { - "type": "keyword" - }, - "release": { - "type": "keyword" - }, - "release_version": { - "type": "keyword" - }, - "display_version": { - "type": "keyword" - } - } - }, - "port": { - "properties": { - "protocol": { - "type": "keyword" - }, - "local_ip": { - "type": "ip" - }, - "local_port": { - "type": "long" - }, - "remote_ip": { - "type": "ip" - }, - "remote_port": { - "type": "long" - }, - "tx_queue": { - "type": "long" - }, - "rx_queue": { - "type": "long" - }, - "inode": { - "type": "long" - }, - "state": { - "type": "keyword" - }, - "pid": { - "type": "long" - }, - "process": { - "type": "keyword" - } - } - }, - "hardware": { - "properties": { - "serial": { - "type": "keyword" - }, - "cpu_name": { - "type": "keyword" - }, - "cpu_cores": { - "type": "long" - }, - "cpu_mhz": { - "type": "double" - }, - "ram_total": { - "type": "long" - }, - "ram_free": { - "type": "long" - }, - "ram_usage": { - "type": "long" - } - } - }, - "program": { - "properties": { - "format": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "priority": { - "type": "keyword" - }, - "section": { - "type": "keyword" - }, - "size": { - "type": "long" - }, - "vendor": { - "type": "keyword" - }, - "install_time": { - "type": "keyword" - }, - "version": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "multiarch": { - "type": "keyword" - }, - "source": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "location": { - "type": "keyword" - } - } - }, - "process": { - "properties": { - "pid": { - "type": "long" - }, - "name": { - "type": "keyword" - }, - "state": { - "type": "keyword" - }, - "ppid": { - "type": "long" - }, - "utime": { - "type": "long" - }, - "stime": { - "type": "long" - }, - "cmd": { - "type": "keyword" - }, - "args": { - "type": "keyword" - }, - "euser": { - "type": "keyword" - }, - "ruser": { - "type": "keyword" - }, - "suser": { - "type": "keyword" - }, - "egroup": { - "type": "keyword" - }, - "sgroup": { - "type": "keyword" - }, - "fgroup": { - "type": "keyword" - }, - "rgroup": { - "type": "keyword" - }, - "priority": { - "type": "long" - }, - "nice": { - "type": "long" - }, - "size": { - "type": "long" - }, - "vm_size": { - "type": "long" - }, - "resident": { - "type": "long" - }, - "share": { - "type": "long" - }, - "start_time": { - "type": "long" - }, - "pgrp": { - "type": "long" - }, - "session": { - "type": "long" - }, - "nlwp": { - "type": "long" - }, - "tgid": { - "type": "long" - }, - "tty": { - "type": "long" - }, - "processor": { - "type": "long" - } - } - }, - "sca": { - "properties": { - "type": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "policy": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "passed": { - "type": "integer" - }, - "failed": { - "type": "integer" - }, - "score": { - "type": "long" - }, - "check": { - "properties": { - "id": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "description": { - "type": "keyword" - }, - "rationale": { - "type": "keyword" - }, - "remediation": { - "type": "keyword" - }, - "compliance": { - "properties": { - "cis": { - "type": "keyword" - }, - "cis_csc": { - "type": "keyword" - }, - "pci_dss": { - "type": "keyword" - }, - "hipaa": { - "type": "keyword" - }, - "nist_800_53": { - "type": "keyword" - } - } - }, - "references": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "directory": { - "type": "keyword" - }, - "registry": { - "type": "keyword" - }, - "process": { - "type": "keyword" - }, - "result": { - "type": "keyword" - }, - "previous_result": { - "type": "keyword" - }, - "reason": { - "type": "keyword" - } - } - }, - "invalid": { - "type": "keyword" - }, - "policy_id": { - "type": "keyword" - }, - "total_checks": { - "type": "keyword" - } - } - }, - "command": { - "type": "keyword" - }, - "integration": { - "type": "keyword" - }, - "scan_id": { - "type": "keyword" - }, - "timestamp": { - "type": "date" - }, - "title": { - "type": "keyword" - }, - "uid": { - "type": "keyword" - }, - "virustotal": { - "properties": { - "description": { - "type": "keyword" - }, - "error": { - "type": "keyword" - }, - "found": { - "type": "keyword" - }, - "malicious": { - "type": "keyword" - }, - "permalink": { - "type": "keyword" - }, - "positives": { - "type": "keyword" - }, - "scan_date": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - }, - "source": { - "properties": { - "alert_id": { - "type": "keyword" - }, - "file": { - "type": "keyword" - }, - "md5": { - "type": "keyword" - }, - "sha1": { - "type": "keyword" - } - } - }, - "total": { - "type": "keyword" - } - } - }, - "vulnerability": { - "properties": { - "cve": { - "type": "keyword" - }, - "cvss": { - "properties": { - "cvss2": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - }, - "cvss3": { - "properties": { - "base_score": { - "type": "keyword" - }, - "exploitability_score": { - "type": "keyword" - }, - "impact_score": { - "type": "keyword" - }, - "vector": { - "properties": { - "access_complexity": { - "type": "keyword" - }, - "attack_vector": { - "type": "keyword" - }, - "authentication": { - "type": "keyword" - }, - "availability": { - "type": "keyword" - }, - "confidentiality_impact": { - "type": "keyword" - }, - "integrity_impact": { - "type": "keyword" - }, - "privileges_required": { - "type": "keyword" - }, - "scope": { - "type": "keyword" - }, - "user_interaction": { - "type": "keyword" - } - } - } - } - } - } - }, - "cwe_reference": { - "type": "keyword" - }, - "package": { - "properties": { - "source": { - "type": "keyword" - }, - "architecture": { - "type": "keyword" - }, - "condition": { - "type": "keyword" - }, - "generated_cpe": { - "type": "keyword" - }, - "name": { - "type": "keyword" - }, - "version": { - "type": "keyword" - } - } - }, - "published": { - "type": "date" - }, - "updated": { - "type": "date" - }, - "rationale": { - "type": "keyword" - }, - "reference": { - "type": "keyword" - }, - "severity": { - "type": "keyword" - }, - "status": { - "type": "keyword" - }, - "title": { - "type": "keyword" - }, - "assigner": { - "type": "keyword" - }, - "cve_version": { - "type": "keyword" - }, - "scanner.reference": { - "type": "keyword" - } - } - }, - "aws": { - "properties": { - "source": { - "type": "keyword" - }, - "accountId": { - "type": "keyword" - }, - "log_info": { - "properties": { - "s3bucket": { - "type": "keyword" - } - } - }, - "region": { - "type": "keyword" - }, - "bytes": { - "type": "long" - }, - "dstaddr": { - "type": "ip" - }, - "srcaddr": { - "type": "ip" - }, - "end": { - "type": "date" - }, - "start": { - "type": "date" - }, - "source_ip_address": { - "type": "ip" - }, - "service": { - "properties": { - "count": { - "type": "long" - }, - "action.networkConnectionAction.remoteIpDetails": { - "properties": { - "ipAddressV4": { - "type": "ip" - }, - "geoLocation": { - "type": "geo_point" - } - } - }, - "eventFirstSeen": { - "type": "date" - }, - "eventLastSeen": { - "type": "date" - } - } - }, - "createdAt": { - "type": "date" - }, - "updatedAt": { - "type": "date" - }, - "resource.instanceDetails": { - "properties": { - "launchTime": { - "type": "date" - }, - "networkInterfaces": { - "properties": { - "privateIpAddress": { - "type": "ip" - }, - "publicIp": { - "type": "ip" - } - } - } - } - } - } - }, - "cis": { - "properties": { - "benchmark": { - "type": "keyword" - }, - "error": { - "type": "long" - }, - "fail": { - "type": "long" - }, - "group": { - "type": "keyword" - }, - "notchecked": { - "type": "long" - }, - "pass": { - "type": "long" - }, - "result": { - "type": "keyword" - }, - "rule_title": { - "type": "keyword" - }, - "score": { - "type": "long" - }, - "timestamp": { - "type": "keyword" - }, - "unknown": { - "type": "long" - } - } - }, - "docker": { - "properties": { - "Action": { - "type": "keyword" - }, - "Actor": { - "properties": { - "Attributes": { - "properties": { - "image": { - "type": "keyword" - }, - "name": { - "type": "keyword" - } - } - } - } - }, - "from": { - "type": "keyword" - }, - "Type": { - "type": "keyword" - } - } - }, - "gcp": { - "properties": { - "jsonPayload": { - "properties": { - "authAnswer": { - "type": "keyword" - }, - "queryName": { - "type": "keyword" - }, - "responseCode": { - "type": "keyword" - }, - "vmInstanceId": { - "type": "keyword" - }, - "vmInstanceName": { - "type": "keyword" - } - } - }, - "resource": { - "properties": { - "labels": { - "properties": { - "location": { - "type": "keyword" - }, - "project_id": { - "type": "keyword" - }, - "source_type": { - "type": "keyword" - } - } - }, - "type": { - "type": "keyword" - } - } - }, - "severity": { - "type": "keyword" - } - } - }, - "osquery": { - "properties": { - "name": { - "type": "keyword" - }, - "pack": { - "type": "keyword" - }, - "action": { - "type": "keyword" - }, - "calendarTime": { - "type": "keyword" - } - } - }, - "parameters": { - "properties": { - "extra_args": { - "type": "keyword" - } - } - }, - "YARA": { - "properties": { - "reference": { - "type": "keyword" - }, - "api_customer": { - "type": "keyword" - }, - "log_type": { - "type": "keyword" - }, - "scanned_file": { - "type": "keyword" - }, - "rule_author": { - "type": "keyword" - }, - "rule_name": { - "type": "keyword" - }, - "rule_description": { - "type": "keyword" - }, - "tags": { - "type": "keyword" - } - } - } - } - }, - "program_name": { - "type": "keyword" - }, - "command": { - "type": "keyword" - }, - "type": { - "type": "text" - }, - "title": { - "type": "keyword" - }, - "id": { - "type": "keyword" - }, - "input": { - "properties": { - "type": { - "type": "keyword" - } - } - }, - "previous_output": { - "type": "keyword" - } - } - }, - "version": 1 -} +{ + "index_patterns": [ + "wazuh-archives-5.x-*" + ], + "mappings": { + "date_detection": false, + "dynamic": "false", + "properties": { + "@timestamp": { + "type": "date" + }, + "agent": { + "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "groups": { + "ignore_above": 1024, + "type": "keyword" + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "check": { + "properties": { + "compliance": { + "ignore_above": 1024, + "type": "keyword" + }, + "condition": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "rationale": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + }, + "remediation": { + "ignore_above": 1024, + "type": "keyword" + }, + "result": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "client": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "cloud": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "target": { + "properties": { + "account": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "availability_zone": { + "ignore_above": 1024, + "type": "keyword" + }, + "instance": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "machine": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "region": { + "ignore_above": 1024, + "type": "keyword" + }, + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "container": { + "properties": { + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "image": { + "properties": { + "hash": { + "properties": { + "all": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "tag": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "memory": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "runtime": { + "ignore_above": 1024, + "type": "keyword" + }, + "security_context": { + "properties": { + "privileged": { + "type": "boolean" + } + } + } + } + }, + "data_stream": { + "properties": { + "dataset": { + "type": "keyword" + }, + "namespace": { + "type": "keyword" + }, + "type": { + "type": "keyword" + } + } + }, + "destination": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "device": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "manufacturer": { + "ignore_above": 1024, + "type": "keyword" + }, + "model": { + "properties": { + "identifier": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "dll": { + "properties": { + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + } + } + }, + "dns": { + "properties": { + "answers": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "ttl": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "header_flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "op_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "question": { + "properties": { + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "resolved_ip": { + "type": "ip" + }, + "response_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ecs": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "properties": { + "attachments": { + "properties": { + "file": { + "properties": { + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + } + } + } + }, + "type": "nested" + }, + "bcc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cc": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "content_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "delivery_timestamp": { + "type": "date" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "from": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "local_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message_id": { + "type": "keyword" + }, + "origination_timestamp": { + "type": "date" + }, + "reply_to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "sender": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "subject": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "to": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x_mailer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "error": { + "properties": { + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "message": { + "type": "keyword" + }, + "stack_trace": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "event": { + "properties": { + "action": { + "ignore_above": 1024, + "type": "keyword" + }, + "agent_id_status": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "changed_fields": { + "ignore_above": 1024, + "type": "keyword" + }, + "code": { + "ignore_above": 1024, + "type": "keyword" + }, + "collector": { + "ignore_above": 1024, + "type": "keyword" + }, + "created": { + "type": "date" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "duration": { + "type": "long" + }, + "end": { + "type": "date" + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingested": { + "type": "date" + }, + "kind": { + "ignore_above": 1024, + "type": "keyword" + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "doc_values": false, + "index": false, + "type": "keyword" + }, + "outcome": { + "ignore_above": 1024, + "type": "keyword" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk_score": { + "type": "float" + }, + "risk_score_norm": { + "type": "float" + }, + "sequence": { + "type": "long" + }, + "severity": { + "type": "long" + }, + "start": { + "type": "date" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "faas": { + "properties": { + "coldstart": { + "type": "boolean" + }, + "execution": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trigger": { + "properties": { + "request_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "host": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "boot": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "cpu": { + "properties": { + "cores": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "speed": { + "type": "long" + }, + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + }, + "type": "object" + }, + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "memory": { + "properties": { + "free": { + "type": "long" + }, + "total": { + "type": "long" + }, + "used": { + "properties": { + "percentage": { + "type": "long" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "drops": { + "type": "long" + }, + "errors": { + "type": "long" + }, + "packets": { + "type": "long" + }, + "queue": { + "type": "long" + } + } + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pid_ns_ino": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uptime": { + "type": "long" + } + } + }, + "http": { + "properties": { + "request": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "method": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "referrer": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "response": { + "properties": { + "body": { + "properties": { + "bytes": { + "type": "long" + }, + "content": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + } + } + }, + "bytes": { + "type": "long" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "status_code": { + "type": "long" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "labels": { + "type": "object" + }, + "log": { + "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "level": { + "ignore_above": 1024, + "type": "keyword" + }, + "logger": { + "ignore_above": 1024, + "type": "keyword" + }, + "origin": { + "properties": { + "file": { + "properties": { + "line": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "function": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "syslog": { + "properties": { + "appname": { + "ignore_above": 1024, + "type": "keyword" + }, + "facility": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "msgid": { + "ignore_above": 1024, + "type": "keyword" + }, + "priority": { + "type": "long" + }, + "procid": { + "ignore_above": 1024, + "type": "keyword" + }, + "severity": { + "properties": { + "code": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "structured_data": { + "type": "flat_object" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + } + } + }, + "message": { + "type": "keyword" + }, + "network": { + "properties": { + "application": { + "ignore_above": 1024, + "type": "keyword" + }, + "broadcast": { + "type": "ip" + }, + "bytes": { + "type": "long" + }, + "community_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "dhcp": { + "ignore_above": 1024, + "type": "keyword" + }, + "direction": { + "ignore_above": 1024, + "type": "keyword" + }, + "forwarded_ip": { + "type": "ip" + }, + "gateway": { + "type": "ip" + }, + "iana_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "inner": { + "properties": { + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "metric": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "netmask": { + "type": "ip" + }, + "packets": { + "type": "long" + }, + "protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "transport": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "observer": { + "properties": { + "egress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "observer": { + "properties": { + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hostname": { + "ignore_above": 1024, + "type": "keyword" + }, + "ingress": { + "properties": { + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtu": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "zone": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "orchestrator": { + "properties": { + "api_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "cluster": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "namespace": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "resource": { + "properties": { + "annotation": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "label": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "organization": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "package": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "build_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "checksum": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "install_scope": { + "ignore_above": 1024, + "type": "keyword" + }, + "installed": { + "type": "date" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "policy": { + "properties": { + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "references": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "process": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "attested_groups": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "attested_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "entry_meta": { + "properties": { + "source": { + "properties": { + "ip": { + "type": "ip" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "env_vars": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "io": { + "properties": { + "bytes_skipped": { + "properties": { + "length": { + "type": "long" + }, + "offset": { + "type": "long" + } + }, + "type": "object" + }, + "max_bytes_per_process_exceeded": { + "type": "boolean" + }, + "text": { + "type": "keyword" + }, + "total_bytes_captured": { + "type": "long" + }, + "total_bytes_skipped": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "object" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "end": { + "type": "date" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "exit_code": { + "type": "long" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "group_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "macho": { + "properties": { + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "symhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "pgid": { + "type": "long" + }, + "pid": { + "type": "long" + }, + "previous": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "session_leader": { + "properties": { + "args": { + "ignore_above": 1024, + "type": "keyword" + }, + "args_count": { + "type": "long" + }, + "command_line": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "executable": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interactive": { + "type": "boolean" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "parent": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "session_leader": { + "properties": { + "entity_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "pid": { + "type": "long" + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "start": { + "type": "date" + }, + "vpid": { + "type": "long" + } + } + }, + "pid": { + "type": "long" + }, + "real_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "real_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "same_as_process": { + "type": "boolean" + }, + "saved_group": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "saved_user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + } + }, + "type": "object" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "start": { + "type": "date" + }, + "supplemental_groups": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "thread": { + "properties": { + "capabilities": { + "properties": { + "effective": { + "ignore_above": 1024, + "type": "keyword" + }, + "permitted": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "id": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "title": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "tty": { + "properties": { + "char_device": { + "properties": { + "major": { + "type": "long" + }, + "minor": { + "type": "long" + } + } + }, + "columns": { + "type": "long" + }, + "rows": { + "type": "long" + } + }, + "type": "object" + }, + "uptime": { + "type": "long" + }, + "user": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vpid": { + "type": "long" + }, + "working_directory": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "related": { + "properties": { + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, + "ip": { + "type": "ip" + }, + "user": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "rule": { + "properties": { + "author": { + "ignore_above": 1024, + "type": "keyword" + }, + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "license": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "ruleset": { + "ignore_above": 1024, + "type": "keyword" + }, + "uuid": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "server": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "service": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "origin": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "environment": { + "ignore_above": 1024, + "type": "keyword" + }, + "ephemeral_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "role": { + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "state": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "source": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + }, + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "bytes": { + "type": "long" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "mac": { + "ignore_above": 1024, + "type": "keyword" + }, + "nat": { + "properties": { + "ip": { + "type": "ip" + }, + "port": { + "type": "long" + } + } + }, + "packets": { + "type": "long" + }, + "port": { + "type": "long" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "user": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tags": { + "ignore_above": 1024, + "type": "keyword" + }, + "threat": { + "properties": { + "enrichments": { + "properties": { + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "object" + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "index": { + "ignore_above": 1024, + "type": "keyword" + }, + "occurred": { + "type": "date" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + }, + "type": "nested" + }, + "feed": { + "properties": { + "dashboard_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "framework": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "indicator": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "file": { + "properties": { + "accessed": { + "type": "date" + }, + "attributes": { + "ignore_above": 1024, + "type": "keyword" + }, + "code_signature": { + "properties": { + "digest_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "exists": { + "type": "boolean" + }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "timestamp": { + "type": "date" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "created": { + "type": "date" + }, + "ctime": { + "type": "date" + }, + "device": { + "ignore_above": 1024, + "type": "keyword" + }, + "directory": { + "ignore_above": 1024, + "type": "keyword" + }, + "drive_letter": { + "ignore_above": 1, + "type": "keyword" + }, + "elf": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "byte_order": { + "ignore_above": 1024, + "type": "keyword" + }, + "cpu_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "creation_date": { + "type": "date" + }, + "exports": { + "type": "flat_object" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "header": { + "properties": { + "abi_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "class": { + "ignore_above": 1024, + "type": "keyword" + }, + "data": { + "ignore_above": 1024, + "type": "keyword" + }, + "entrypoint": { + "type": "long" + }, + "object_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "os_abi": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "sections": { + "properties": { + "chi2": { + "type": "long" + }, + "entropy": { + "type": "long" + }, + "flags": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_offset": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "var_entropy": { + "type": "long" + }, + "virtual_address": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + }, + "segments": { + "properties": { + "sections": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + }, + "type": "nested" + }, + "shared_libraries": { + "ignore_above": 1024, + "type": "keyword" + }, + "telfhash": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fork_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "gid": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha384": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlsh": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "inode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, + "mode": { + "ignore_above": 1024, + "type": "keyword" + }, + "mtime": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "owner": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "go_imports": { + "type": "flat_object" + }, + "go_imports_names_entropy": { + "type": "long" + }, + "go_imports_names_var_entropy": { + "type": "long" + }, + "go_stripped": { + "type": "boolean" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "import_hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "imports": { + "type": "flat_object" + }, + "imports_names_entropy": { + "type": "long" + }, + "imports_names_var_entropy": { + "type": "long" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "pehash": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + }, + "sections": { + "properties": { + "entropy": { + "type": "long" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "physical_size": { + "type": "long" + }, + "var_entropy": { + "type": "long" + }, + "virtual_size": { + "type": "long" + } + }, + "type": "nested" + } + } + }, + "size": { + "type": "long" + }, + "target_path": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "uid": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + }, + "tlp_version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "modified_at": { + "type": "date" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "registry": { + "properties": { + "data": { + "properties": { + "bytes": { + "ignore_above": 1024, + "type": "keyword" + }, + "strings": { + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hive": { + "ignore_above": 1024, + "type": "keyword" + }, + "key": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "ignore_above": 1024, + "type": "keyword" + }, + "value": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "software": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "platforms": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "tactic": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "technique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "tls": { + "properties": { + "cipher": { + "ignore_above": 1024, + "type": "keyword" + }, + "client": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "server_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "supported_ciphers": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "established": { + "type": "boolean" + }, + "next_protocol": { + "ignore_above": 1024, + "type": "keyword" + }, + "resumed": { + "type": "boolean" + }, + "server": { + "properties": { + "certificate": { + "ignore_above": 1024, + "type": "keyword" + }, + "certificate_chain": { + "ignore_above": 1024, + "type": "keyword" + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "issuer": { + "ignore_above": 1024, + "type": "keyword" + }, + "ja3s": { + "ignore_above": 1024, + "type": "keyword" + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "subject": { + "ignore_above": 1024, + "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + }, + "version_protocol": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "trace": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "transaction": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "url": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "extension": { + "ignore_above": 1024, + "type": "keyword" + }, + "fragment": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "type": "keyword" + }, + "password": { + "ignore_above": 1024, + "type": "keyword" + }, + "path": { + "type": "keyword" + }, + "port": { + "type": "long" + }, + "query": { + "ignore_above": 1024, + "type": "keyword" + }, + "registered_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "scheme": { + "ignore_above": 1024, + "type": "keyword" + }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, + "top_level_domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "username": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "user": { + "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "risk": { + "properties": { + "calculated_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "calculated_score": { + "type": "float" + }, + "calculated_score_norm": { + "type": "float" + }, + "static_level": { + "ignore_above": 1024, + "type": "keyword" + }, + "static_score": { + "type": "float" + }, + "static_score_norm": { + "type": "float" + } + } + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "user_agent": { + "properties": { + "device": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "original": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "type": "keyword" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "vulnerability": { + "properties": { + "category": { + "ignore_above": 1024, + "type": "keyword" + }, + "classification": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "enumeration": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "report_id": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner": { + "properties": { + "reference": { + "ignore_above": 1024, + "type": "keyword" + }, + "vendor": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "score": { + "properties": { + "base": { + "type": "float" + }, + "environmental": { + "type": "float" + }, + "temporal": { + "type": "float" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "severity": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "wazuh": { + "properties": { + "cluster": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "node": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "decoders": { + "ignore_above": 1024, + "type": "keyword" + }, + "rules": { + "ignore_above": 1024, + "type": "keyword" + }, + "schema": { + "properties": { + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } + } + }, + "order": 1, + "settings": { + "index": { + "auto_expand_replicas": "0-1", + "number_of_replicas": "0", + "number_of_shards": "3", + "query.default_field": [ + "agent.host.architecture", + "agent.host.ip", + "agent.id", + "agent.name", + "agent.version", + "wazuh.cluster.name", + "wazuh.cluster.node", + "wazuh.schema.version" + ], + "refresh_interval": "2s" + }, + "mapping.total_fields.limit": 2500, + "plugins.index_state_management.rollover_alias": "wazuh-archives" + } +}