Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "index": {
- "lifecycle": {
- "name": "filebeat-7.4.1",
- "rollover_alias": "filebeat-7.4.1"
- },
- "mapping": {
- "total_fields": {
- "limit": "10000"
- }
- },
- "refresh_interval": "5s",
- "number_of_routing_shards": "30",
- "number_of_shards": "1",
- "query": {
- "default_field": [
- "message",
- "tags",
- "agent.ephemeral_id",
- "agent.id",
- "agent.name",
- "agent.type",
- "agent.version",
- "as.organization.name",
- "client.address",
- "client.as.organization.name",
- "client.domain",
- "client.geo.city_name",
- "client.geo.continent_name",
- "client.geo.country_iso_code",
- "client.geo.country_name",
- "client.geo.name",
- "client.geo.region_iso_code",
- "client.geo.region_name",
- "client.mac",
- "client.user.domain",
- "client.user.email",
- "client.user.full_name",
- "client.user.group.id",
- "client.user.group.name",
- "client.user.hash",
- "client.user.id",
- "client.user.name",
- "cloud.account.id",
- "cloud.availability_zone",
- "cloud.instance.id",
- "cloud.instance.name",
- "cloud.machine.type",
- "cloud.provider",
- "cloud.region",
- "container.id",
- "container.image.name",
- "container.image.tag",
- "container.name",
- "container.runtime",
- "destination.address",
- "destination.as.organization.name",
- "destination.domain",
- "destination.geo.city_name",
- "destination.geo.continent_name",
- "destination.geo.country_iso_code",
- "destination.geo.country_name",
- "destination.geo.name",
- "destination.geo.region_iso_code",
- "destination.geo.region_name",
- "destination.mac",
- "destination.user.domain",
- "destination.user.email",
- "destination.user.full_name",
- "destination.user.group.id",
- "destination.user.group.name",
- "destination.user.hash",
- "destination.user.id",
- "destination.user.name",
- "dns.answers.class",
- "dns.answers.data",
- "dns.answers.name",
- "dns.answers.type",
- "dns.header_flags",
- "dns.id",
- "dns.op_code",
- "dns.question.class",
- "dns.question.name",
- "dns.question.registered_domain",
- "dns.question.type",
- "dns.response_code",
- "dns.type",
- "ecs.version",
- "error.code",
- "error.id",
- "error.message",
- "event.action",
- "event.category",
- "event.code",
- "event.dataset",
- "event.hash",
- "event.id",
- "event.kind",
- "event.module",
- "event.original",
- "event.outcome",
- "event.provider",
- "event.timezone",
- "event.type",
- "file.device",
- "file.directory",
- "file.extension",
- "file.gid",
- "file.group",
- "file.hash.md5",
- "file.hash.sha1",
- "file.hash.sha256",
- "file.hash.sha512",
- "file.inode",
- "file.mode",
- "file.name",
- "file.owner",
- "file.path",
- "file.target_path",
- "file.type",
- "file.uid",
- "geo.city_name",
- "geo.continent_name",
- "geo.country_iso_code",
- "geo.country_name",
- "geo.name",
- "geo.region_iso_code",
- "geo.region_name",
- "group.id",
- "group.name",
- "hash.md5",
- "hash.sha1",
- "hash.sha256",
- "hash.sha512",
- "host.architecture",
- "host.geo.city_name",
- "host.geo.continent_name",
- "host.geo.country_iso_code",
- "host.geo.country_name",
- "host.geo.name",
- "host.geo.region_iso_code",
- "host.geo.region_name",
- "host.hostname",
- "host.id",
- "host.mac",
- "host.name",
- "host.os.family",
- "host.os.full",
- "host.os.kernel",
- "host.os.name",
- "host.os.platform",
- "host.os.version",
- "host.type",
- "host.user.domain",
- "host.user.email",
- "host.user.full_name",
- "host.user.group.id",
- "host.user.group.name",
- "host.user.hash",
- "host.user.id",
- "host.user.name",
- "http.request.body.content",
- "http.request.method",
- "http.request.referrer",
- "http.response.body.content",
- "http.version",
- "log.level",
- "log.logger",
- "log.original",
- "network.application",
- "network.community_id",
- "network.direction",
- "network.iana_number",
- "network.name",
- "network.protocol",
- "network.transport",
- "network.type",
- "observer.geo.city_name",
- "observer.geo.continent_name",
- "observer.geo.country_iso_code",
- "observer.geo.country_name",
- "observer.geo.name",
- "observer.geo.region_iso_code",
- "observer.geo.region_name",
- "observer.hostname",
- "observer.mac",
- "observer.os.family",
- "observer.os.full",
- "observer.os.kernel",
- "observer.os.name",
- "observer.os.platform",
- "observer.os.version",
- "observer.serial_number",
- "observer.type",
- "observer.vendor",
- "observer.version",
- "organization.id",
- "organization.name",
- "os.family",
- "os.full",
- "os.kernel",
- "os.name",
- "os.platform",
- "os.version",
- "process.args",
- "process.executable",
- "process.hash.md5",
- "process.hash.sha1",
- "process.hash.sha256",
- "process.hash.sha512",
- "process.name",
- "process.thread.name",
- "process.title",
- "process.working_directory",
- "server.address",
- "server.as.organization.name",
- "server.domain",
- "server.geo.city_name",
- "server.geo.continent_name",
- "server.geo.country_iso_code",
- "server.geo.country_name",
- "server.geo.name",
- "server.geo.region_iso_code",
- "server.geo.region_name",
- "server.mac",
- "server.user.domain",
- "server.user.email",
- "server.user.full_name",
- "server.user.group.id",
- "server.user.group.name",
- "server.user.hash",
- "server.user.id",
- "server.user.name",
- "service.ephemeral_id",
- "service.id",
- "service.name",
- "service.state",
- "service.type",
- "service.version",
- "source.address",
- "source.as.organization.name",
- "source.domain",
- "source.geo.city_name",
- "source.geo.continent_name",
- "source.geo.country_iso_code",
- "source.geo.country_name",
- "source.geo.name",
- "source.geo.region_iso_code",
- "source.geo.region_name",
- "source.mac",
- "source.user.domain",
- "source.user.email",
- "source.user.full_name",
- "source.user.group.id",
- "source.user.group.name",
- "source.user.hash",
- "source.user.id",
- "source.user.name",
- "tracing.trace.id",
- "tracing.transaction.id",
- "url.domain",
- "url.fragment",
- "url.full",
- "url.original",
- "url.password",
- "url.path",
- "url.query",
- "url.scheme",
- "url.username",
- "user.domain",
- "user.email",
- "user.full_name",
- "user.group.id",
- "user.group.name",
- "user.hash",
- "user.id",
- "user.name",
- "user_agent.device.name",
- "user_agent.name",
- "user_agent.original",
- "user_agent.os.family",
- "user_agent.os.full",
- "user_agent.os.kernel",
- "user_agent.os.name",
- "user_agent.os.platform",
- "user_agent.os.version",
- "user_agent.version",
- "agent.hostname",
- "error.type",
- "timeseries.instance",
- "cloud.project.id",
- "cloud.image.id",
- "host.os.build",
- "host.os.codename",
- "kubernetes.pod.name",
- "kubernetes.pod.uid",
- "kubernetes.namespace",
- "kubernetes.node.name",
- "kubernetes.replicaset.name",
- "kubernetes.deployment.name",
- "kubernetes.statefulset.name",
- "kubernetes.container.name",
- "kubernetes.container.image",
- "jolokia.agent.version",
- "jolokia.agent.id",
- "jolokia.server.product",
- "jolokia.server.version",
- "jolokia.server.vendor",
- "jolokia.url",
- "log.file.path",
- "log.source.address",
- "stream",
- "input.type",
- "syslog.severity_label",
- "syslog.facility_label",
- "process.program",
- "log.flags",
- "user_agent.os.full_name",
- "fileset.name",
- "icmp.code",
- "icmp.type",
- "igmp.type",
- "kafka.topic",
- "kafka.key",
- "apache.access.ssl.protocol",
- "apache.access.ssl.cipher",
- "apache.error.module",
- "user.terminal",
- "user.audit.id",
- "user.audit.name",
- "user.audit.group.id",
- "user.audit.group.name",
- "user.effective.id",
- "user.effective.name",
- "user.effective.group.id",
- "user.effective.group.name",
- "user.filesystem.id",
- "user.filesystem.name",
- "user.filesystem.group.id",
- "user.filesystem.group.name",
- "user.owner.id",
- "user.owner.name",
- "user.owner.group.id",
- "user.owner.group.name",
- "user.saved.id",
- "user.saved.name",
- "user.saved.group.id",
- "user.saved.group.name",
- "auditd.log.old_auid",
- "auditd.log.new_auid",
- "auditd.log.old_ses",
- "auditd.log.new_ses",
- "auditd.log.items",
- "auditd.log.item",
- "auditd.log.tty",
- "auditd.log.a0",
- "aws.s3access.bucket_owner",
- "aws.s3access.bucket",
- "aws.s3access.requester",
- "aws.s3access.request_id",
- "aws.s3access.operation",
- "aws.s3access.key",
- "aws.s3access.request_uri",
- "aws.s3access.error_code",
- "aws.s3access.referrer",
- "aws.s3access.user_agent",
- "aws.s3access.version_id",
- "aws.s3access.host_id",
- "aws.s3access.signature_version",
- "aws.s3access.cipher_suite",
- "aws.s3access.authentication_type",
- "aws.s3access.host_header",
- "aws.s3access.tls_version",
- "cisco.asa.message_id",
- "cisco.asa.suffix",
- "cisco.asa.source_interface",
- "cisco.asa.destination_interface",
- "cisco.asa.rule_name",
- "cisco.asa.source_username",
- "cisco.asa.destination_username",
- "cisco.asa.threat_level",
- "cisco.asa.threat_category",
- "cisco.asa.connection_id",
- "cisco.ftd.message_id",
- "cisco.ftd.suffix",
- "cisco.ftd.source_interface",
- "cisco.ftd.destination_interface",
- "cisco.ftd.rule_name",
- "cisco.ftd.source_username",
- "cisco.ftd.destination_username",
- "cisco.ftd.threat_level",
- "cisco.ftd.threat_category",
- "cisco.ftd.connection_id",
- "cisco.ios.access_list",
- "cisco.ios.facility",
- "coredns.id",
- "coredns.query.class",
- "coredns.query.name",
- "coredns.query.type",
- "coredns.response.code",
- "coredns.response.flags",
- "cef.version",
- "cef.device.vendor",
- "cef.device.product",
- "cef.device.version",
- "cef.device.event_class_id",
- "cef.severity",
- "cef.name",
- "observer.product",
- "source.service.name",
- "destination.service.name",
- "elasticsearch.component",
- "elasticsearch.cluster.uuid",
- "elasticsearch.cluster.name",
- "elasticsearch.node.id",
- "elasticsearch.node.name",
- "elasticsearch.index.name",
- "elasticsearch.index.id",
- "elasticsearch.shard.id",
- "elasticsearch.audit.layer",
- "elasticsearch.audit.event_type",
- "elasticsearch.audit.origin.type",
- "elasticsearch.audit.realm",
- "elasticsearch.audit.user.realm",
- "elasticsearch.audit.user.roles",
- "elasticsearch.audit.action",
- "elasticsearch.audit.url.params",
- "elasticsearch.audit.indices",
- "elasticsearch.audit.request.id",
- "elasticsearch.audit.request.name",
- "elasticsearch.audit.message",
- "elasticsearch.gc.phase.name",
- "elasticsearch.gc.tags",
- "elasticsearch.slowlog.logger",
- "elasticsearch.slowlog.took",
- "elasticsearch.slowlog.types",
- "elasticsearch.slowlog.stats",
- "elasticsearch.slowlog.search_type",
- "elasticsearch.slowlog.source_query",
- "elasticsearch.slowlog.extra_source",
- "elasticsearch.slowlog.total_hits",
- "elasticsearch.slowlog.total_shards",
- "elasticsearch.slowlog.routing",
- "elasticsearch.slowlog.id",
- "elasticsearch.slowlog.type",
- "elasticsearch.slowlog.source",
- "envoyproxy.log_type",
- "envoyproxy.response_flags",
- "envoyproxy.request_id",
- "envoyproxy.authority",
- "envoyproxy.proxy_type",
- "googlecloud.vpcflow.reporter",
- "googlecloud.vpcflow.destination.instance.project_id",
- "googlecloud.vpcflow.destination.instance.region",
- "googlecloud.vpcflow.destination.instance.zone",
- "googlecloud.vpcflow.destination.vpc.project_id",
- "googlecloud.vpcflow.destination.vpc.vpc_name",
- "googlecloud.vpcflow.destination.vpc.subnetwork_name",
- "googlecloud.vpcflow.source.instance.project_id",
- "googlecloud.vpcflow.source.instance.region",
- "googlecloud.vpcflow.source.instance.zone",
- "googlecloud.vpcflow.source.vpc.project_id",
- "googlecloud.vpcflow.source.vpc.vpc_name",
- "googlecloud.vpcflow.source.vpc.subnetwork_name",
- "haproxy.frontend_name",
- "haproxy.backend_name",
- "haproxy.server_name",
- "haproxy.bind_name",
- "haproxy.error_message",
- "haproxy.source",
- "haproxy.termination_state",
- "haproxy.mode",
- "haproxy.http.response.captured_cookie",
- "haproxy.http.response.captured_headers",
- "haproxy.http.request.captured_cookie",
- "haproxy.http.request.captured_headers",
- "haproxy.http.request.raw_request_line",
- "ibmmq.errorlog.installation",
- "ibmmq.errorlog.qmgr",
- "ibmmq.errorlog.arithinsert",
- "ibmmq.errorlog.commentinsert",
- "ibmmq.errorlog.errordescription",
- "ibmmq.errorlog.explanation",
- "ibmmq.errorlog.action",
- "ibmmq.errorlog.code",
- "icinga.debug.facility",
- "icinga.main.facility",
- "icinga.startup.facility",
- "iis.access.site_name",
- "iis.access.server_name",
- "iis.access.cookie",
- "iis.error.reason_phrase",
- "iis.error.queue_name",
- "iptables.fragment_flags",
- "iptables.input_device",
- "iptables.output_device",
- "iptables.tcp.flags",
- "iptables.ubiquiti.input_zone",
- "iptables.ubiquiti.output_zone",
- "iptables.ubiquiti.rule_number",
- "iptables.ubiquiti.rule_set",
- "kafka.log.component",
- "kafka.log.class",
- "kafka.log.trace.class",
- "kafka.log.trace.message",
- "kibana.log.tags",
- "kibana.log.state",
- "logstash.log.module",
- "text",
- "logstash.log.thread",
- "logstash.slowlog.module",
- "text",
- "logstash.slowlog.thread",
- "text",
- "logstash.slowlog.event",
- "logstash.slowlog.plugin_name",
- "logstash.slowlog.plugin_type",
- "text",
- "logstash.slowlog.plugin_params",
- "mongodb.log.component",
- "mongodb.log.context",
- "mssql.log.origin",
- "mysql.slowlog.query",
- "mysql.slowlog.schema",
- "mysql.slowlog.current_user",
- "mysql.slowlog.last_errno",
- "mysql.slowlog.killed",
- "mysql.slowlog.log_slow_rate_type",
- "mysql.slowlog.log_slow_rate_limit",
- "mysql.slowlog.innodb.trx_id",
- "nats.log.msg.type",
- "nats.log.msg.subject",
- "nats.log.msg.reply_to",
- "nats.log.msg.error.message",
- "nats.log.msg.queue_group",
- "netflow.type",
- "netflow.exporter.address",
- "netflow.source_mac_address",
- "netflow.post_destination_mac_address",
- "netflow.destination_mac_address",
- "netflow.post_source_mac_address",
- "netflow.interface_name",
- "netflow.interface_description",
- "netflow.sampler_name",
- "netflow.application_description",
- "netflow.application_name",
- "netflow.class_name",
- "netflow.wlan_ssid",
- "netflow.vr_fname",
- "netflow.metro_evc_id",
- "netflow.nat_pool_name",
- "netflow.p2p_technology",
- "netflow.tunnel_technology",
- "netflow.encrypted_technology",
- "netflow.observation_domain_name",
- "netflow.selector_name",
- "netflow.information_element_description",
- "netflow.information_element_name",
- "netflow.virtual_station_interface_name",
- "netflow.virtual_station_name",
- "netflow.sta_mac_address",
- "netflow.wtp_mac_address",
- "netflow.user_name",
- "netflow.application_category_name",
- "netflow.application_sub_category_name",
- "netflow.application_group_name",
- "netflow.dot1q_customer_source_mac_address",
- "netflow.dot1q_customer_destination_mac_address",
- "netflow.mib_context_name",
- "netflow.mib_object_name",
- "netflow.mib_object_description",
- "netflow.mib_object_syntax",
- "netflow.mib_module_name",
- "netflow.mobile_imsi",
- "netflow.mobile_msisdn",
- "netflow.http_request_method",
- "netflow.http_request_host",
- "netflow.http_request_target",
- "netflow.http_message_version",
- "netflow.http_user_agent",
- "netflow.http_content_type",
- "netflow.http_reason_phrase",
- "osquery.result.name",
- "osquery.result.action",
- "osquery.result.host_identifier",
- "osquery.result.calendar_time",
- "panw.panos.ruleset",
- "panw.panos.source.zone",
- "panw.panos.source.interface",
- "panw.panos.destination.zone",
- "panw.panos.destination.interface",
- "panw.panos.network.pcap_id",
- "panw.panos.network.nat.community_id",
- "panw.panos.file.hash",
- "panw.panos.url.category",
- "panw.panos.flow_id",
- "panw.panos.threat.resource",
- "panw.panos.threat.id",
- "panw.panos.threat.name",
- "postgresql.log.timestamp",
- "postgresql.log.database",
- "postgresql.log.query",
- "rabbitmq.log.pid",
- "redis.log.role",
- "redis.slowlog.cmd",
- "redis.slowlog.key",
- "redis.slowlog.args",
- "bucket_name",
- "object_key",
- "santa.action",
- "santa.decision",
- "santa.reason",
- "santa.mode",
- "santa.disk.volume",
- "santa.disk.bus",
- "santa.disk.serial",
- "santa.disk.bsdname",
- "santa.disk.model",
- "santa.disk.fs",
- "santa.disk.mount",
- "certificate.common_name",
- "certificate.sha256",
- "suricata.eve.event_type",
- "suricata.eve.app_proto_orig",
- "suricata.eve.tcp.tcp_flags",
- "suricata.eve.tcp.tcp_flags_tc",
- "suricata.eve.tcp.state",
- "suricata.eve.tcp.tcp_flags_ts",
- "suricata.eve.fileinfo.sha1",
- "suricata.eve.fileinfo.state",
- "suricata.eve.fileinfo.sha256",
- "suricata.eve.fileinfo.md5",
- "suricata.eve.dns.type",
- "suricata.eve.dns.rrtype",
- "suricata.eve.dns.rrname",
- "suricata.eve.dns.rdata",
- "suricata.eve.dns.rcode",
- "suricata.eve.flow_id",
- "suricata.eve.email.status",
- "suricata.eve.http.redirect",
- "suricata.eve.http.protocol",
- "suricata.eve.http.http_content_type",
- "suricata.eve.in_iface",
- "suricata.eve.alert.category",
- "suricata.eve.alert.signature",
- "suricata.eve.ssh.client.proto_version",
- "suricata.eve.ssh.client.software_version",
- "suricata.eve.ssh.server.proto_version",
- "suricata.eve.ssh.server.software_version",
- "suricata.eve.tls.issuerdn",
- "suricata.eve.tls.sni",
- "suricata.eve.tls.version",
- "suricata.eve.tls.fingerprint",
- "suricata.eve.tls.serial",
- "suricata.eve.tls.subject",
- "suricata.eve.app_proto_ts",
- "suricata.eve.flow.state",
- "suricata.eve.flow.reason",
- "suricata.eve.app_proto_tc",
- "suricata.eve.smtp.rcpt_to",
- "suricata.eve.smtp.mail_from",
- "suricata.eve.smtp.helo",
- "suricata.eve.app_proto_expected",
- "system.auth.ssh.method",
- "system.auth.ssh.signature",
- "system.auth.ssh.event",
- "system.auth.sudo.error",
- "system.auth.sudo.tty",
- "system.auth.sudo.pwd",
- "system.auth.sudo.user",
- "system.auth.sudo.command",
- "system.auth.useradd.home",
- "system.auth.useradd.shell",
- "traefik.access.user_identifier",
- "traefik.access.frontend_name",
- "traefik.access.backend_url",
- "zeek.session_id",
- "zeek.connection.state",
- "zeek.connection.history",
- "zeek.connection.orig_l2_addr",
- "zeek.connection.resp_l2_addr",
- "zeek.dns.trans_id",
- "zeek.dns.query",
- "zeek.dns.qclass_name",
- "zeek.dns.qtype_name",
- "zeek.dns.rcode_name",
- "zeek.dns.answers",
- "zeek.http.status_msg",
- "zeek.http.info_msg",
- "zeek.http.tags",
- "zeek.http.password",
- "zeek.http.proxied",
- "zeek.http.client_header_names",
- "zeek.http.server_header_names",
- "zeek.http.orig_fuids",
- "zeek.http.orig_mime_types",
- "zeek.http.orig_filenames",
- "zeek.http.resp_fuids",
- "zeek.http.resp_mime_types",
- "zeek.http.resp_filenames",
- "zeek.files.fuid",
- "zeek.files.session_ids",
- "zeek.files.source",
- "zeek.files.analyzers",
- "zeek.files.mime_type",
- "zeek.files.filename",
- "zeek.files.parent_fuid",
- "zeek.files.md5",
- "zeek.files.sha1",
- "zeek.files.sha256",
- "zeek.files.extracted",
- "zeek.ssl.version",
- "zeek.ssl.cipher",
- "zeek.ssl.curve",
- "zeek.ssl.server_name",
- "zeek.ssl.next_protocol",
- "zeek.ssl.cert_chain",
- "zeek.ssl.cert_chain_fuids",
- "zeek.ssl.client_cert_chain",
- "zeek.ssl.client_cert_chain_fuids",
- "zeek.ssl.issuer",
- "zeek.ssl.client_issuer",
- "zeek.ssl.validation_status",
- "zeek.ssl.validation_code",
- "zeek.ssl.subject",
- "zeek.ssl.client_subject",
- "zeek.ssl.last_alert",
- "zeek.notice.connection_id",
- "zeek.notice.icmp_id",
- "zeek.notice.file.id",
- "zeek.notice.file.parent_id",
- "zeek.notice.file.source",
- "zeek.notice.file.mime_type",
- "zeek.notice.fuid",
- "zeek.notice.note",
- "zeek.notice.msg",
- "zeek.notice.sub",
- "zeek.notice.peer_name",
- "zeek.notice.peer_descr",
- "zeek.notice.actions",
- "zeek.notice.email_body_sections",
- "zeek.notice.email_delay_tokens",
- "zeek.notice.identifier",
- "fields.*"
- ]
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement