Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "index_patterns": [
- "filebeat-*"
- ],
- "mappings": {
- "date_detection": false,
- "dynamic_templates": [
- {
- "labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "labels.*"
- }
- },
- {
- "container.labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "container.labels.*"
- }
- },
- {
- "dns.answers": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "dns.answers.*"
- }
- },
- {
- "log.syslog": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "log.syslog.*"
- }
- },
- {
- "fields": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "fields.*"
- }
- },
- {
- "docker.container.labels": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "docker.container.labels.*"
- }
- },
- {
- "kubernetes.labels.*": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "*",
- "path_match": "kubernetes.labels.*"
- }
- },
- {
- "kubernetes.annotations.*": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "*",
- "path_match": "kubernetes.annotations.*"
- }
- },
- {
- "docker.attrs": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "docker.attrs.*"
- }
- },
- {
- "azure.activitylogs.identity.claims.*": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "*",
- "path_match": "azure.activitylogs.identity.claims.*"
- }
- },
- {
- "kibana.log.meta": {
- "mapping": {
- "type": "keyword"
- },
- "match_mapping_type": "string",
- "path_match": "kibana.log.meta.*"
- }
- },
- {
- "strings_as_keyword": {
- "mapping": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "match_mapping_type": "string"
- }
- }
- ],
- "properties": {
- "@timestamp": {
- "type": "date"
- },
- "activemq": {
- "properties": {
- "audit": {
- "properties": {}
- },
- "caller": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "log": {
- "properties": {
- "stack_trace": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "thread": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "agent": {
- "properties": {
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "apache": {
- "properties": {
- "access": {
- "properties": {
- "ssl": {
- "properties": {
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "error": {
- "properties": {
- "module": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "apache2": {
- "properties": {
- "access": {
- "properties": {
- "geoip": {
- "properties": {}
- },
- "user_agent": {
- "properties": {}
- }
- }
- },
- "error": {
- "properties": {}
- }
- }
- },
- "as": {
- "properties": {
- "number": {
- "type": "long"
- },
- "organization": {
- "properties": {
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "auditd": {
- "properties": {
- "log": {
- "properties": {
- "a0": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "addr": {
- "type": "ip"
- },
- "geoip": {
- "properties": {}
- },
- "item": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "items": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "laddr": {
- "type": "ip"
- },
- "lport": {
- "type": "long"
- },
- "new_auid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_ses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_auid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_ses": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rport": {
- "type": "long"
- },
- "sequence": {
- "type": "long"
- },
- "tty": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "aws": {
- "properties": {
- "cloudtrail": {
- "properties": {
- "additional_eventdata": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "api_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "error_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "error_message": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "event_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "event_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "management_event": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "read_only": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "recipient_account_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request_parameters": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resources": {
- "properties": {
- "account_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "arn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "response_elements": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service_event_details": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "shared_event_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_identity": {
- "properties": {
- "access_key_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "arn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "invoked_by": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "session_context": {
- "properties": {
- "creation_date": {
- "type": "date"
- },
- "mfa_authenticated": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "vpc_endpoint_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "elb": {
- "properties": {
- "action_executed": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "backend": {
- "properties": {
- "http": {
- "properties": {
- "response": {
- "properties": {
- "status_code": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "ip": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "backend_processing_time": {
- "properties": {
- "sec": {
- "type": "float"
- }
- }
- },
- "chosen_cert": {
- "properties": {
- "arn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "serial": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "connection_time": {
- "properties": {
- "ms": {
- "type": "long"
- }
- }
- },
- "error": {
- "properties": {
- "reason": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "incoming_tls_alert": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "listener": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "matched_rule_priority": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "redirect_url": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request_processing_time": {
- "properties": {
- "sec": {
- "type": "float"
- }
- }
- },
- "response_processing_time": {
- "properties": {
- "sec": {
- "type": "float"
- }
- }
- },
- "ssl_cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ssl_protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "target_group": {
- "properties": {
- "arn": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "tls_handshake_time": {
- "properties": {
- "ms": {
- "type": "long"
- }
- }
- },
- "tls_named_group": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "trace_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "s3access": {
- "properties": {
- "authentication_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bucket": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bucket_owner": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes_sent": {
- "type": "long"
- },
- "cipher_suite": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "error_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host_header": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_status": {
- "type": "long"
- },
- "key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "object_size": {
- "type": "long"
- },
- "operation": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "referrer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "remote_ip": {
- "type": "ip"
- },
- "request_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request_uri": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requester": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "signature_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tls_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "total_time": {
- "type": "long"
- },
- "turn_around_time": {
- "type": "long"
- },
- "user_agent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "vpcflow": {
- "properties": {
- "account_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "instance_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "interface_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "log_status": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pkt_dstaddr": {
- "type": "ip"
- },
- "pkt_srcaddr": {
- "type": "ip"
- },
- "subnet_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tcp_flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vpc_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "azure": {
- "properties": {
- "activitylogs": {
- "properties": {
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "identity": {
- "properties": {
- "authorization": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "evidence": {
- "properties": {
- "principal_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "principal_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role_assignment_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role_assignment_scope": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "role_definition_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "scope": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "claims": {
- "properties": {
- "*": {
- "type": "object"
- }
- }
- },
- "claims_initiated_by_user": {
- "properties": {
- "fullname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "givenname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "schema": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "surname": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "operation_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "properties": {
- "properties": {
- "service_request_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status_code": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "result_signature": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "auditlogs": {
- "properties": {
- "identity": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "properties": {
- "properties": {
- "activity_datetime": {
- "type": "date"
- },
- "activity_display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "correlation_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "initiated_by": {
- "properties": {
- "app": {
- "properties": {
- "appId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "displayName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "servicePrincipalId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "servicePrincipalName": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user": {
- "properties": {
- "displayName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ipAddress": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "userPrincipalName": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "logged_by_service": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "result": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "result_reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "target_resources": {
- "properties": {
- "*": {
- "properties": {
- "display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "modified_properties": {
- "properties": {
- "*": {
- "properties": {
- "display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new_value": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "old_value": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_principal_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "result_signature": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tenant_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "consumer_group": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "correlation_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "enqueued_time": {
- "type": "date"
- },
- "eventhub": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "offset": {
- "type": "long"
- },
- "partition_id": {
- "type": "long"
- },
- "resource": {
- "properties": {
- "authorization_rule": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "namespace": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "provider": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "sequence_number": {
- "type": "long"
- },
- "signinlogs": {
- "properties": {
- "identity": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "properties": {
- "properties": {
- "app_display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "app_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "client_app_used": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "conditional_access_status": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "correlation_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created_at": {
- "type": "date"
- },
- "device_detail": {
- "properties": {
- "browser": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "device_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operating_system": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "trust_type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "is_interactive": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original_request_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "processing_time_ms": {
- "type": "float"
- },
- "resource_display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_detail": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_level_aggregated": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_level_during_signin": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service_principal_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status": {
- "properties": {
- "error_code": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "token_issuer_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "token_issuer_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_display_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_principal_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "result_description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "result_signature": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tenant_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "subscription_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tenant_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bucket_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cef": {
- "properties": {
- "device": {
- "properties": {
- "event_class_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "product": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "extensions": {
- "properties": {
- "DeviceCustomNumber2": {
- "type": "long"
- },
- "Reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentAddress": {
- "type": "ip"
- },
- "agentDnsDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentHostName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentMacAddress": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentNtDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentReceiptTime": {
- "type": "date"
- },
- "agentTimeZone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentTranslatedAddress": {
- "type": "ip"
- },
- "agentTranslatedZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentTranslatedZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentType": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentVersion": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "agentZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "applicationProtocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "baseEventCount": {
- "type": "long"
- },
- "bytesIn": {
- "type": "long"
- },
- "bytesOut": {
- "type": "long"
- },
- "categoryBehavior": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "categoryDeviceGroup": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "categoryDeviceType": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "categoryObject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "categoryOutcome": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "categorySignificance": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "categoryTechnique": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "customerExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "customerURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationAddress": {
- "type": "ip"
- },
- "destinationDnsDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationGeoLatitude": {
- "type": "double"
- },
- "destinationGeoLongitude": {
- "type": "double"
- },
- "destinationHostName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationMacAddress": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationNtDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationPort": {
- "type": "long"
- },
- "destinationProcessId": {
- "type": "long"
- },
- "destinationProcessName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationServiceName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationTranslatedAddress": {
- "type": "ip"
- },
- "destinationTranslatedPort": {
- "type": "long"
- },
- "destinationTranslatedZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationTranslatedZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationUserId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationUserName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationUserPrivileges": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destinationZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceAction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceAddress": {
- "type": "ip"
- },
- "deviceCustomDate1": {
- "type": "date"
- },
- "deviceCustomDate1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomDate2": {
- "type": "date"
- },
- "deviceCustomDate2Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomFloatingPoint1": {
- "type": "double"
- },
- "deviceCustomFloatingPoint1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomFloatingPoint2": {
- "type": "double"
- },
- "deviceCustomFloatingPoint2Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomFloatingPoint3": {
- "type": "double"
- },
- "deviceCustomFloatingPoint3Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomFloatingPoint4": {
- "type": "double"
- },
- "deviceCustomFloatingPoint4Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomIPv6Address1": {
- "type": "ip"
- },
- "deviceCustomIPv6Address1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomIPv6Address3": {
- "type": "ip"
- },
- "deviceCustomIPv6Address3Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomIPv6Address4": {
- "type": "ip"
- },
- "deviceCustomIPv6Address4Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomNumber1": {
- "type": "long"
- },
- "deviceCustomNumber1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomNumber2Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomNumber3": {
- "type": "long"
- },
- "deviceCustomNumber3Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString2": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString2Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString3": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString3Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString4": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString4Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString5Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString6": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceCustomString6Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceDirection": {
- "type": "long"
- },
- "deviceDnsDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceEventCategory": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceExternalId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceFacility": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceHostName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceInboundInterface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceMacAddress": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceNtDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceOutboundInterface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "devicePayloadId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceProcessId": {
- "type": "long"
- },
- "deviceProcessName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceReceiptTime": {
- "type": "date"
- },
- "deviceTimeZone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceTranslatedAddress": {
- "type": "ip"
- },
- "deviceTranslatedZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceTranslatedZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deviceZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "endTime": {
- "type": "date"
- },
- "eventId": {
- "type": "long"
- },
- "eventOutcome": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "externalId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fileCreateTime": {
- "type": "date"
- },
- "fileHash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fileId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fileModificationTime": {
- "type": "date"
- },
- "filePath": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "filePermission": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fileSize": {
- "type": "long"
- },
- "fileType": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "filename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flexDate1": {
- "type": "date"
- },
- "flexDate1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flexString1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flexString1Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flexString2": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flexString2Label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "managerReceiptTime": {
- "type": "date"
- },
- "message": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oldFileCreateTime": {
- "type": "date"
- },
- "oldFileHash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oldFileId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oldFileModificationTime": {
- "type": "date"
- },
- "oldFileName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oldFilePath": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oldFilePermission": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "oldFileSize": {
- "type": "long"
- },
- "oldFileType": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rawEvent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requestClientApplication": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requestContext": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requestCookies": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requestMethod": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requestUrl": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceAddress": {
- "type": "ip"
- },
- "sourceDnsDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceGeoLatitude": {
- "type": "double"
- },
- "sourceGeoLongitude": {
- "type": "double"
- },
- "sourceHostName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceMacAddress": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceNtDomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourcePort": {
- "type": "long"
- },
- "sourceProcessId": {
- "type": "long"
- },
- "sourceProcessName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceServiceName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceTranslatedAddress": {
- "type": "ip"
- },
- "sourceTranslatedPort": {
- "type": "long"
- },
- "sourceTranslatedZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceTranslatedZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceUserId": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceUserName": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceUserPrivileges": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceZoneExternalID": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sourceZoneURI": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "startTime": {
- "type": "date"
- },
- "transportProtocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "type": "long"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "severity": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "certificate": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "cisco": {
- "properties": {
- "asa": {
- "properties": {
- "connection_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destination_interface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destination_username": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp_code": {
- "type": "short"
- },
- "icmp_type": {
- "type": "short"
- },
- "mapped_destination_ip": {
- "type": "ip"
- },
- "mapped_destination_port": {
- "type": "long"
- },
- "mapped_source_ip": {
- "type": "ip"
- },
- "mapped_source_port": {
- "type": "long"
- },
- "message_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rule_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_interface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_username": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "suffix": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threat_category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threat_level": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ftd": {
- "properties": {
- "connection_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destination_interface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destination_username": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp_code": {
- "type": "short"
- },
- "icmp_type": {
- "type": "short"
- },
- "mapped_destination_ip": {
- "type": "ip"
- },
- "mapped_destination_port": {
- "type": "long"
- },
- "mapped_source_ip": {
- "type": "ip"
- },
- "mapped_source_port": {
- "type": "long"
- },
- "message_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rule_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "security": {
- "type": "object"
- },
- "source_interface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_username": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "suffix": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threat_category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threat_level": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ios": {
- "properties": {
- "access_list": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "facility": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "client": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "as": {
- "properties": {
- "number": {
- "type": "long"
- },
- "organization": {
- "properties": {
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "registered_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "top_level_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "cloud": {
- "properties": {
- "account": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "availability_zone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "image": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "instance": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "machine": {
- "properties": {
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "project": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "provider": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "container": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "image": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tag": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "runtime": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "coredns": {
- "properties": {
- "dnssec_ok": {
- "type": "boolean"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "query": {
- "properties": {
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "response": {
- "properties": {
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- }
- }
- }
- }
- },
- "destination": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "as": {
- "properties": {
- "number": {
- "type": "long"
- },
- "organization": {
- "properties": {
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "registered_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "top_level_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "dns": {
- "properties": {
- "answers": {
- "properties": {
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "data": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ttl": {
- "type": "long"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- },
- "type": "object"
- },
- "header_flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "op_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "question": {
- "properties": {
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "registered_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subdomain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "top_level_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "resolved_ip": {
- "type": "ip"
- },
- "response_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "docker": {
- "properties": {
- "attrs": {
- "type": "object"
- },
- "container": {
- "properties": {
- "labels": {
- "type": "object"
- }
- }
- }
- }
- },
- "ecs": {
- "properties": {
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "elasticsearch": {
- "properties": {
- "audit": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "event_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "indices": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "layer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "origin": {
- "properties": {
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "realm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "url": {
- "properties": {
- "params": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user": {
- "properties": {
- "realm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "roles": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "cluster": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uuid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "component": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "deprecation": {
- "properties": {}
- },
- "gc": {
- "properties": {
- "heap": {
- "properties": {
- "size_kb": {
- "type": "long"
- },
- "used_kb": {
- "type": "long"
- }
- }
- },
- "jvm_runtime_sec": {
- "type": "float"
- },
- "old_gen": {
- "properties": {
- "size_kb": {
- "type": "long"
- },
- "used_kb": {
- "type": "long"
- }
- }
- },
- "phase": {
- "properties": {
- "class_unload_time_sec": {
- "type": "float"
- },
- "cpu_time": {
- "properties": {
- "real_sec": {
- "type": "float"
- },
- "sys_sec": {
- "type": "float"
- },
- "user_sec": {
- "type": "float"
- }
- }
- },
- "duration_sec": {
- "type": "float"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "parallel_rescan_time_sec": {
- "type": "float"
- },
- "scrub_string_table_time_sec": {
- "type": "float"
- },
- "scrub_symbol_table_time_sec": {
- "type": "float"
- },
- "weak_refs_processing_time_sec": {
- "type": "float"
- }
- }
- },
- "stopping_threads_time_sec": {
- "type": "float"
- },
- "tags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threads_total_stop_time_sec": {
- "type": "float"
- },
- "young_gen": {
- "properties": {
- "size_kb": {
- "type": "long"
- },
- "used_kb": {
- "type": "long"
- }
- }
- }
- }
- },
- "index": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "node": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "server": {
- "properties": {
- "gc": {
- "properties": {
- "collection_duration": {
- "properties": {
- "ms": {
- "type": "float"
- }
- }
- },
- "observation_duration": {
- "properties": {
- "ms": {
- "type": "float"
- }
- }
- },
- "overhead_seq": {
- "type": "long"
- },
- "young": {
- "properties": {
- "one": {
- "type": "long"
- },
- "two": {
- "type": "long"
- }
- }
- }
- }
- },
- "stacktrace": {
- "ignore_above": 1024,
- "index": false,
- "type": "keyword"
- }
- }
- },
- "shard": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "slowlog": {
- "properties": {
- "extra_source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "logger": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "routing": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "search_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "stats": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "took": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "total_hits": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "total_shards": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "types": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "envoyproxy": {
- "properties": {
- "authority": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "log_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "proxy_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "response_flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "upstream_service_time": {
- "type": "long"
- }
- }
- },
- "error": {
- "properties": {
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "stack_trace": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "event": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created": {
- "type": "date"
- },
- "dataset": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "duration": {
- "type": "long"
- },
- "end": {
- "type": "date"
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ingested": {
- "type": "date"
- },
- "kind": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "module": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "outcome": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "provider": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "risk_score": {
- "type": "float"
- },
- "risk_score_norm": {
- "type": "float"
- },
- "sequence": {
- "type": "long"
- },
- "severity": {
- "type": "long"
- },
- "start": {
- "type": "date"
- },
- "timezone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "fields": {
- "type": "object"
- },
- "file": {
- "properties": {
- "accessed": {
- "type": "date"
- },
- "attributes": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "created": {
- "type": "date"
- },
- "ctime": {
- "type": "date"
- },
- "device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "directory": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "drive_letter": {
- "ignore_above": 1,
- "type": "keyword"
- },
- "extension": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "gid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hash": {
- "properties": {
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "inode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mtime": {
- "type": "date"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "owner": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- },
- "target_path": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "fileset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "googlecloud": {
- "properties": {
- "audit": {
- "properties": {
- "authentication_info": {
- "properties": {
- "authority_selector": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "principal_email": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "method_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "num_response_items": {
- "type": "long"
- },
- "request": {
- "properties": {
- "filter": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "proto_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resource_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "request_metadata": {
- "properties": {
- "caller_ip": {
- "type": "ip"
- },
- "caller_supplied_user_agent": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "resource_location": {
- "properties": {
- "current_locations": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "resource_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status": {
- "properties": {
- "code": {
- "type": "long"
- },
- "message": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "destination": {
- "properties": {
- "instance": {
- "properties": {
- "project_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "zone": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "vpc": {
- "properties": {
- "project_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subnetwork_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vpc_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "firewall": {
- "properties": {
- "rule_details": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destination_range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "priority": {
- "type": "long"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_range": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_service_account": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_tag": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "target_service_account": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "target_tag": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "source": {
- "properties": {
- "instance": {
- "properties": {
- "project_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "zone": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "vpc": {
- "properties": {
- "project_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subnetwork_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vpc_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "vpcflow": {
- "properties": {
- "reporter": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rtt": {
- "properties": {
- "ms": {
- "type": "long"
- }
- }
- }
- }
- }
- }
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "haproxy": {
- "properties": {
- "backend_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "backend_queue": {
- "type": "long"
- },
- "bind_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes_read": {
- "type": "long"
- },
- "client": {
- "properties": {}
- },
- "connection_wait_time_ms": {
- "type": "long"
- },
- "connections": {
- "properties": {
- "active": {
- "type": "long"
- },
- "backend": {
- "type": "long"
- },
- "frontend": {
- "type": "long"
- },
- "retries": {
- "type": "long"
- },
- "server": {
- "type": "long"
- }
- }
- },
- "destination": {
- "properties": {}
- },
- "error_message": {
- "norms": false,
- "type": "text"
- },
- "frontend_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geoip": {
- "properties": {}
- },
- "http": {
- "properties": {
- "request": {
- "properties": {
- "captured_cookie": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "captured_headers": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "raw_request_line": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "time_wait_ms": {
- "type": "long"
- },
- "time_wait_without_data_ms": {
- "type": "long"
- }
- }
- },
- "response": {
- "properties": {
- "captured_cookie": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "captured_headers": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "server_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "server_queue": {
- "type": "long"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tcp": {
- "properties": {
- "connection_waiting_time_ms": {
- "type": "long"
- }
- }
- },
- "termination_state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "time_backend_connect": {
- "type": "long"
- },
- "time_queue": {
- "type": "long"
- },
- "total_waiting_time_ms": {
- "type": "long"
- }
- }
- },
- "hash": {
- "properties": {
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "host": {
- "properties": {
- "architecture": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "containerized": {
- "type": "boolean"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "build": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "codename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uptime": {
- "type": "long"
- },
- "user": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "http": {
- "properties": {
- "request": {
- "properties": {
- "body": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "content": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "referrer": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "response": {
- "properties": {
- "body": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "content": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "status_code": {
- "type": "long"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ibmmq": {
- "properties": {
- "errorlog": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "arithinsert": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "commentinsert": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "errordescription": {
- "norms": false,
- "type": "text"
- },
- "explanation": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "installation": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "qmgr": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "icinga": {
- "properties": {
- "debug": {
- "properties": {
- "facility": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "main": {
- "properties": {
- "facility": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "startup": {
- "properties": {
- "facility": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "icmp": {
- "properties": {
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "igmp": {
- "properties": {
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "iis": {
- "properties": {
- "access": {
- "properties": {
- "cookie": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geoip": {
- "properties": {}
- },
- "server_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "site_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub_status": {
- "type": "long"
- },
- "user_agent": {
- "properties": {}
- },
- "win32_status": {
- "type": "long"
- }
- }
- },
- "error": {
- "properties": {
- "geoip": {
- "properties": {}
- },
- "queue_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reason_phrase": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "input": {
- "properties": {
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "iptables": {
- "properties": {
- "ether_type": {
- "type": "long"
- },
- "flow_label": {
- "type": "long"
- },
- "fragment_flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fragment_offset": {
- "type": "long"
- },
- "icmp": {
- "properties": {
- "code": {
- "type": "long"
- },
- "id": {
- "type": "long"
- },
- "parameter": {
- "type": "long"
- },
- "redirect": {
- "type": "ip"
- },
- "seq": {
- "type": "long"
- },
- "type": {
- "type": "long"
- }
- }
- },
- "id": {
- "type": "long"
- },
- "incomplete_bytes": {
- "type": "long"
- },
- "input_device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "length": {
- "type": "long"
- },
- "output_device": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "precedence_bits": {
- "type": "short"
- },
- "tcp": {
- "properties": {
- "ack": {
- "type": "long"
- },
- "flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reserved_bits": {
- "type": "short"
- },
- "seq": {
- "type": "long"
- },
- "window": {
- "type": "long"
- }
- }
- },
- "tos": {
- "type": "long"
- },
- "ttl": {
- "type": "long"
- },
- "ubiquiti": {
- "properties": {
- "input_zone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "output_zone": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rule_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rule_set": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "udp": {
- "properties": {
- "length": {
- "type": "long"
- }
- }
- }
- }
- },
- "jolokia": {
- "properties": {
- "agent": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "secured": {
- "type": "boolean"
- },
- "server": {
- "properties": {
- "product": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "url": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "kafka": {
- "properties": {
- "block_timestamp": {
- "type": "date"
- },
- "key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "log": {
- "properties": {
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "component": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "trace": {
- "properties": {
- "class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "message": {
- "norms": false,
- "type": "text"
- }
- }
- }
- }
- },
- "offset": {
- "type": "long"
- },
- "partition": {
- "type": "long"
- },
- "topic": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "kibana": {
- "properties": {
- "log": {
- "properties": {
- "meta": {
- "type": "object"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tags": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "kubernetes": {
- "properties": {
- "annotations": {
- "properties": {
- "*": {
- "type": "object"
- }
- }
- },
- "container": {
- "properties": {
- "image": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "deployment": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "labels": {
- "properties": {
- "*": {
- "type": "object"
- }
- }
- },
- "namespace": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "pod": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "replicaset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "statefulset": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "labels": {
- "type": "object"
- },
- "log": {
- "properties": {
- "file": {
- "properties": {
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "logger": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "offset": {
- "type": "long"
- },
- "origin": {
- "properties": {
- "file": {
- "properties": {
- "line": {
- "type": "long"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "function": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "original": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "syslog": {
- "properties": {
- "facility": {
- "properties": {
- "code": {
- "type": "long"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "priority": {
- "type": "long"
- },
- "severity": {
- "properties": {
- "code": {
- "type": "long"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- },
- "type": "object"
- }
- }
- },
- "logstash": {
- "properties": {
- "log": {
- "properties": {
- "log_event": {
- "type": "object"
- },
- "module": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pipeline_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "thread": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "slowlog": {
- "properties": {
- "event": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "module": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "plugin_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "plugin_params": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "plugin_params_object": {
- "type": "object"
- },
- "plugin_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "thread": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "took_in_millis": {
- "type": "long"
- }
- }
- }
- }
- },
- "message": {
- "norms": false,
- "type": "text"
- },
- "misp": {
- "properties": {
- "attack_pattern": {
- "properties": {
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kill_chain_phases": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "campaign": {
- "properties": {
- "aliases": {
- "norms": false,
- "type": "text"
- },
- "description": {
- "norms": false,
- "type": "text"
- },
- "first_seen": {
- "type": "date"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_seen": {
- "type": "date"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "objective": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "course_of_action": {
- "properties": {
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "identity": {
- "properties": {
- "contact_information": {
- "norms": false,
- "type": "text"
- },
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "identity_class": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "labels": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sectors": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "intrusion_set": {
- "properties": {
- "aliases": {
- "norms": false,
- "type": "text"
- },
- "description": {
- "norms": false,
- "type": "text"
- },
- "first_seen": {
- "type": "date"
- },
- "goals": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_seen": {
- "type": "date"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "primary_motivation": {
- "norms": false,
- "type": "text"
- },
- "resource_level": {
- "norms": false,
- "type": "text"
- },
- "secondary_motivations": {
- "norms": false,
- "type": "text"
- }
- }
- },
- "malware": {
- "properties": {
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kill_chain_phases": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "labels": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "note": {
- "properties": {
- "authors": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "object_refs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "summary": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "observed_data": {
- "properties": {
- "first_observed": {
- "type": "date"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_observed": {
- "type": "date"
- },
- "number_observed": {
- "type": "long"
- },
- "objects": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "report": {
- "properties": {
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "labels": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "object_refs": {
- "norms": false,
- "type": "text"
- },
- "published": {
- "type": "date"
- }
- }
- },
- "threat_actor": {
- "properties": {
- "aliases": {
- "norms": false,
- "type": "text"
- },
- "description": {
- "norms": false,
- "type": "text"
- },
- "goals": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "labels": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "personal_motivations": {
- "norms": false,
- "type": "text"
- },
- "primary_motivation": {
- "norms": false,
- "type": "text"
- },
- "resource_level": {
- "norms": false,
- "type": "text"
- },
- "roles": {
- "norms": false,
- "type": "text"
- },
- "secondary_motivations": {
- "norms": false,
- "type": "text"
- },
- "sophistication": {
- "norms": false,
- "type": "text"
- }
- }
- },
- "threat_indicator": {
- "properties": {
- "attack_pattern": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "attack_pattern_kql": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "campaign": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "confidence": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "description": {
- "norms": false,
- "type": "text"
- },
- "feed": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "intrusion_set": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kill_chain_phases": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "labels": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mitre_tactic": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mitre_technique": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "negate": {
- "type": "boolean"
- },
- "severity": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threat_actor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "valid_from": {
- "type": "date"
- },
- "valid_until": {
- "type": "date"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "tool": {
- "properties": {
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kill_chain_phases": {
- "norms": false,
- "type": "text"
- },
- "labels": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tool_version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "vulnerability": {
- "properties": {
- "description": {
- "norms": false,
- "type": "text"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "mongodb": {
- "properties": {
- "log": {
- "properties": {
- "component": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "context": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "mssql": {
- "properties": {
- "log": {
- "properties": {
- "origin": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "mysql": {
- "properties": {
- "error": {
- "properties": {}
- },
- "slowlog": {
- "properties": {
- "bytes_received": {
- "type": "long"
- },
- "bytes_sent": {
- "type": "long"
- },
- "current_user": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "filesort": {
- "type": "boolean"
- },
- "filesort_on_disk": {
- "type": "boolean"
- },
- "full_join": {
- "type": "boolean"
- },
- "full_scan": {
- "type": "boolean"
- },
- "innodb": {
- "properties": {
- "io_r_bytes": {
- "type": "long"
- },
- "io_r_ops": {
- "type": "long"
- },
- "io_r_wait": {
- "properties": {
- "sec": {
- "type": "long"
- }
- }
- },
- "pages_distinct": {
- "type": "long"
- },
- "queue_wait": {
- "properties": {
- "sec": {
- "type": "long"
- }
- }
- },
- "rec_lock_wait": {
- "properties": {
- "sec": {
- "type": "long"
- }
- }
- },
- "trx_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "killed": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "last_errno": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "lock_time": {
- "properties": {
- "sec": {
- "type": "float"
- }
- }
- },
- "log_slow_rate_limit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "log_slow_rate_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "merge_passes": {
- "type": "long"
- },
- "priority_queue": {
- "type": "boolean"
- },
- "query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "query_cache_hit": {
- "type": "boolean"
- },
- "read_first": {
- "type": "long"
- },
- "read_key": {
- "type": "long"
- },
- "read_last": {
- "type": "long"
- },
- "read_next": {
- "type": "long"
- },
- "read_prev": {
- "type": "long"
- },
- "read_rnd": {
- "type": "long"
- },
- "read_rnd_next": {
- "type": "long"
- },
- "rows_affected": {
- "type": "long"
- },
- "rows_examined": {
- "type": "long"
- },
- "rows_sent": {
- "type": "long"
- },
- "schema": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sort_merge_passes": {
- "type": "long"
- },
- "sort_range_count": {
- "type": "long"
- },
- "sort_rows": {
- "type": "long"
- },
- "sort_scan_count": {
- "type": "long"
- },
- "tmp_disk_tables": {
- "type": "long"
- },
- "tmp_table": {
- "type": "boolean"
- },
- "tmp_table_on_disk": {
- "type": "boolean"
- },
- "tmp_table_sizes": {
- "type": "long"
- },
- "tmp_tables": {
- "type": "long"
- }
- }
- },
- "thread_id": {
- "type": "long"
- }
- }
- },
- "nats": {
- "properties": {
- "log": {
- "properties": {
- "client": {
- "properties": {
- "id": {
- "type": "long"
- }
- }
- },
- "msg": {
- "properties": {
- "bytes": {
- "type": "long"
- },
- "error": {
- "properties": {
- "message": {
- "norms": false,
- "type": "text"
- }
- }
- },
- "max_messages": {
- "type": "long"
- },
- "queue_group": {
- "norms": false,
- "type": "text"
- },
- "reply_to": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sid": {
- "type": "long"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "netflow": {
- "properties": {
- "absolute_error": {
- "type": "double"
- },
- "address_pool_high_threshold": {
- "type": "long"
- },
- "address_pool_low_threshold": {
- "type": "long"
- },
- "address_port_mapping_high_threshold": {
- "type": "long"
- },
- "address_port_mapping_low_threshold": {
- "type": "long"
- },
- "address_port_mapping_per_user_high_threshold": {
- "type": "long"
- },
- "anonymization_flags": {
- "type": "long"
- },
- "anonymization_technique": {
- "type": "long"
- },
- "application_category_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "application_description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "application_group_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "application_id": {
- "type": "short"
- },
- "application_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "application_sub_category_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bgp_destination_as_number": {
- "type": "long"
- },
- "bgp_next_adjacent_as_number": {
- "type": "long"
- },
- "bgp_next_hop_ipv4_address": {
- "type": "ip"
- },
- "bgp_next_hop_ipv6_address": {
- "type": "ip"
- },
- "bgp_prev_adjacent_as_number": {
- "type": "long"
- },
- "bgp_source_as_number": {
- "type": "long"
- },
- "bgp_validity_state": {
- "type": "short"
- },
- "biflow_direction": {
- "type": "short"
- },
- "class_id": {
- "type": "long"
- },
- "class_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "classification_engine_id": {
- "type": "short"
- },
- "collection_time_milliseconds": {
- "type": "date"
- },
- "collector_certificate": {
- "type": "short"
- },
- "collector_ipv4_address": {
- "type": "ip"
- },
- "collector_ipv6_address": {
- "type": "ip"
- },
- "collector_transport_port": {
- "type": "long"
- },
- "common_properties_id": {
- "type": "long"
- },
- "confidence_level": {
- "type": "double"
- },
- "connection_sum_duration_seconds": {
- "type": "long"
- },
- "connection_transaction_id": {
- "type": "long"
- },
- "data_link_frame_section": {
- "type": "short"
- },
- "data_link_frame_size": {
- "type": "long"
- },
- "data_link_frame_type": {
- "type": "long"
- },
- "data_records_reliability": {
- "type": "boolean"
- },
- "delta_flow_count": {
- "type": "long"
- },
- "destination_ipv4_address": {
- "type": "ip"
- },
- "destination_ipv4_prefix": {
- "type": "ip"
- },
- "destination_ipv4_prefix_length": {
- "type": "short"
- },
- "destination_ipv6_address": {
- "type": "ip"
- },
- "destination_ipv6_prefix": {
- "type": "ip"
- },
- "destination_ipv6_prefix_length": {
- "type": "short"
- },
- "destination_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "destination_transport_port": {
- "type": "long"
- },
- "digest_hash_value": {
- "type": "long"
- },
- "distinct_count_of_destination_ip_address": {
- "type": "long"
- },
- "distinct_count_of_destination_ipv4_address": {
- "type": "long"
- },
- "distinct_count_of_destination_ipv6_address": {
- "type": "long"
- },
- "distinct_count_of_source_ip_address": {
- "type": "long"
- },
- "distinct_count_of_source_ipv4_address": {
- "type": "long"
- },
- "distinct_count_of_source_ipv6_address": {
- "type": "long"
- },
- "dot1q_customer_dei": {
- "type": "boolean"
- },
- "dot1q_customer_destination_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dot1q_customer_priority": {
- "type": "short"
- },
- "dot1q_customer_source_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dot1q_customer_vlan_id": {
- "type": "long"
- },
- "dot1q_dei": {
- "type": "boolean"
- },
- "dot1q_priority": {
- "type": "short"
- },
- "dot1q_service_instance_id": {
- "type": "long"
- },
- "dot1q_service_instance_priority": {
- "type": "short"
- },
- "dot1q_service_instance_tag": {
- "type": "short"
- },
- "dot1q_vlan_id": {
- "type": "long"
- },
- "dropped_layer2_octet_delta_count": {
- "type": "long"
- },
- "dropped_layer2_octet_total_count": {
- "type": "long"
- },
- "dropped_octet_delta_count": {
- "type": "long"
- },
- "dropped_octet_total_count": {
- "type": "long"
- },
- "dropped_packet_delta_count": {
- "type": "long"
- },
- "dropped_packet_total_count": {
- "type": "long"
- },
- "dst_traffic_index": {
- "type": "long"
- },
- "egress_broadcast_packet_total_count": {
- "type": "long"
- },
- "egress_interface": {
- "type": "long"
- },
- "egress_interface_type": {
- "type": "long"
- },
- "egress_physical_interface": {
- "type": "long"
- },
- "egress_unicast_packet_total_count": {
- "type": "long"
- },
- "egress_vrfid": {
- "type": "long"
- },
- "encrypted_technology": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "engine_id": {
- "type": "short"
- },
- "engine_type": {
- "type": "short"
- },
- "ethernet_header_length": {
- "type": "short"
- },
- "ethernet_payload_length": {
- "type": "long"
- },
- "ethernet_total_length": {
- "type": "long"
- },
- "ethernet_type": {
- "type": "long"
- },
- "export_interface": {
- "type": "long"
- },
- "export_protocol_version": {
- "type": "short"
- },
- "export_sctp_stream_id": {
- "type": "long"
- },
- "export_transport_protocol": {
- "type": "short"
- },
- "exported_flow_record_total_count": {
- "type": "long"
- },
- "exported_message_total_count": {
- "type": "long"
- },
- "exported_octet_total_count": {
- "type": "long"
- },
- "exporter": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_id": {
- "type": "long"
- },
- "timestamp": {
- "type": "date"
- },
- "uptime_millis": {
- "type": "long"
- },
- "version": {
- "type": "long"
- }
- }
- },
- "exporter_certificate": {
- "type": "short"
- },
- "exporter_ipv4_address": {
- "type": "ip"
- },
- "exporter_ipv6_address": {
- "type": "ip"
- },
- "exporter_transport_port": {
- "type": "long"
- },
- "exporting_process_id": {
- "type": "long"
- },
- "external_address_realm": {
- "type": "short"
- },
- "firewall_event": {
- "type": "short"
- },
- "flags_and_sampler_id": {
- "type": "long"
- },
- "flow_active_timeout": {
- "type": "long"
- },
- "flow_direction": {
- "type": "short"
- },
- "flow_duration_microseconds": {
- "type": "long"
- },
- "flow_duration_milliseconds": {
- "type": "long"
- },
- "flow_end_delta_microseconds": {
- "type": "long"
- },
- "flow_end_microseconds": {
- "type": "date"
- },
- "flow_end_milliseconds": {
- "type": "date"
- },
- "flow_end_nanoseconds": {
- "type": "date"
- },
- "flow_end_reason": {
- "type": "short"
- },
- "flow_end_seconds": {
- "type": "date"
- },
- "flow_end_sys_up_time": {
- "type": "long"
- },
- "flow_id": {
- "type": "long"
- },
- "flow_idle_timeout": {
- "type": "long"
- },
- "flow_key_indicator": {
- "type": "long"
- },
- "flow_label_ipv6": {
- "type": "long"
- },
- "flow_sampling_time_interval": {
- "type": "long"
- },
- "flow_sampling_time_spacing": {
- "type": "long"
- },
- "flow_selected_flow_delta_count": {
- "type": "long"
- },
- "flow_selected_octet_delta_count": {
- "type": "long"
- },
- "flow_selected_packet_delta_count": {
- "type": "long"
- },
- "flow_selector_algorithm": {
- "type": "long"
- },
- "flow_start_delta_microseconds": {
- "type": "long"
- },
- "flow_start_microseconds": {
- "type": "date"
- },
- "flow_start_milliseconds": {
- "type": "date"
- },
- "flow_start_nanoseconds": {
- "type": "date"
- },
- "flow_start_seconds": {
- "type": "date"
- },
- "flow_start_sys_up_time": {
- "type": "long"
- },
- "forwarding_status": {
- "type": "short"
- },
- "fragment_flags": {
- "type": "short"
- },
- "fragment_identification": {
- "type": "long"
- },
- "fragment_offset": {
- "type": "long"
- },
- "global_address_mapping_high_threshold": {
- "type": "long"
- },
- "gre_key": {
- "type": "long"
- },
- "hash_digest_output": {
- "type": "boolean"
- },
- "hash_flow_domain": {
- "type": "long"
- },
- "hash_initialiser_value": {
- "type": "long"
- },
- "hash_ip_payload_offset": {
- "type": "long"
- },
- "hash_ip_payload_size": {
- "type": "long"
- },
- "hash_output_range_max": {
- "type": "long"
- },
- "hash_output_range_min": {
- "type": "long"
- },
- "hash_selected_range_max": {
- "type": "long"
- },
- "hash_selected_range_min": {
- "type": "long"
- },
- "http_content_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_message_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_reason_phrase": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_request_host": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_request_method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_request_target": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_status_code": {
- "type": "long"
- },
- "http_user_agent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp_code_ipv4": {
- "type": "short"
- },
- "icmp_code_ipv6": {
- "type": "short"
- },
- "icmp_type_code_ipv4": {
- "type": "long"
- },
- "icmp_type_code_ipv6": {
- "type": "long"
- },
- "icmp_type_ipv4": {
- "type": "short"
- },
- "icmp_type_ipv6": {
- "type": "short"
- },
- "igmp_type": {
- "type": "short"
- },
- "ignored_data_record_total_count": {
- "type": "long"
- },
- "ignored_layer2_frame_total_count": {
- "type": "long"
- },
- "ignored_layer2_octet_total_count": {
- "type": "long"
- },
- "ignored_octet_total_count": {
- "type": "long"
- },
- "ignored_packet_total_count": {
- "type": "long"
- },
- "information_element_data_type": {
- "type": "short"
- },
- "information_element_description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "information_element_id": {
- "type": "long"
- },
- "information_element_index": {
- "type": "long"
- },
- "information_element_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "information_element_range_begin": {
- "type": "long"
- },
- "information_element_range_end": {
- "type": "long"
- },
- "information_element_semantics": {
- "type": "short"
- },
- "information_element_units": {
- "type": "long"
- },
- "ingress_broadcast_packet_total_count": {
- "type": "long"
- },
- "ingress_interface": {
- "type": "long"
- },
- "ingress_interface_type": {
- "type": "long"
- },
- "ingress_multicast_packet_total_count": {
- "type": "long"
- },
- "ingress_physical_interface": {
- "type": "long"
- },
- "ingress_unicast_packet_total_count": {
- "type": "long"
- },
- "ingress_vrfid": {
- "type": "long"
- },
- "initiator_octets": {
- "type": "long"
- },
- "initiator_packets": {
- "type": "long"
- },
- "interface_description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "interface_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "intermediate_process_id": {
- "type": "long"
- },
- "internal_address_realm": {
- "type": "short"
- },
- "ip_class_of_service": {
- "type": "short"
- },
- "ip_diff_serv_code_point": {
- "type": "short"
- },
- "ip_header_length": {
- "type": "short"
- },
- "ip_header_packet_section": {
- "type": "short"
- },
- "ip_next_hop_ipv4_address": {
- "type": "ip"
- },
- "ip_next_hop_ipv6_address": {
- "type": "ip"
- },
- "ip_payload_length": {
- "type": "long"
- },
- "ip_payload_packet_section": {
- "type": "short"
- },
- "ip_precedence": {
- "type": "short"
- },
- "ip_sec_spi": {
- "type": "long"
- },
- "ip_total_length": {
- "type": "long"
- },
- "ip_ttl": {
- "type": "short"
- },
- "ip_version": {
- "type": "short"
- },
- "ipv4_ihl": {
- "type": "short"
- },
- "ipv4_options": {
- "type": "long"
- },
- "ipv4_router_sc": {
- "type": "ip"
- },
- "ipv6_extension_headers": {
- "type": "long"
- },
- "is_multicast": {
- "type": "short"
- },
- "layer2_frame_delta_count": {
- "type": "long"
- },
- "layer2_frame_total_count": {
- "type": "long"
- },
- "layer2_octet_delta_count": {
- "type": "long"
- },
- "layer2_octet_delta_sum_of_squares": {
- "type": "long"
- },
- "layer2_octet_total_count": {
- "type": "long"
- },
- "layer2_octet_total_sum_of_squares": {
- "type": "long"
- },
- "layer2_segment_id": {
- "type": "long"
- },
- "layer2packet_section_data": {
- "type": "short"
- },
- "layer2packet_section_offset": {
- "type": "long"
- },
- "layer2packet_section_size": {
- "type": "long"
- },
- "line_card_id": {
- "type": "long"
- },
- "lower_ci_limit": {
- "type": "double"
- },
- "max_bib_entries": {
- "type": "long"
- },
- "max_entries_per_user": {
- "type": "long"
- },
- "max_export_seconds": {
- "type": "date"
- },
- "max_flow_end_microseconds": {
- "type": "date"
- },
- "max_flow_end_milliseconds": {
- "type": "date"
- },
- "max_flow_end_nanoseconds": {
- "type": "date"
- },
- "max_flow_end_seconds": {
- "type": "date"
- },
- "max_fragments_pending_reassembly": {
- "type": "long"
- },
- "max_session_entries": {
- "type": "long"
- },
- "max_subscribers": {
- "type": "long"
- },
- "maximum_ip_total_length": {
- "type": "long"
- },
- "maximum_layer2_total_length": {
- "type": "long"
- },
- "maximum_ttl": {
- "type": "short"
- },
- "message_md5_checksum": {
- "type": "short"
- },
- "message_scope": {
- "type": "short"
- },
- "metering_process_id": {
- "type": "long"
- },
- "metro_evc_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "metro_evc_type": {
- "type": "short"
- },
- "mib_capture_time_semantics": {
- "type": "short"
- },
- "mib_context_engine_id": {
- "type": "short"
- },
- "mib_context_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mib_index_indicator": {
- "type": "long"
- },
- "mib_module_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mib_object_description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mib_object_identifier": {
- "type": "short"
- },
- "mib_object_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mib_object_syntax": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mib_object_value_bits": {
- "type": "short"
- },
- "mib_object_value_counter": {
- "type": "long"
- },
- "mib_object_value_gauge": {
- "type": "long"
- },
- "mib_object_value_integer": {
- "type": "long"
- },
- "mib_object_value_ip_address": {
- "type": "ip"
- },
- "mib_object_value_octet_string": {
- "type": "short"
- },
- "mib_object_value_oid": {
- "type": "short"
- },
- "mib_object_value_time_ticks": {
- "type": "long"
- },
- "mib_object_value_unsigned": {
- "type": "long"
- },
- "mib_sub_identifier": {
- "type": "long"
- },
- "min_export_seconds": {
- "type": "date"
- },
- "min_flow_start_microseconds": {
- "type": "date"
- },
- "min_flow_start_milliseconds": {
- "type": "date"
- },
- "min_flow_start_nanoseconds": {
- "type": "date"
- },
- "min_flow_start_seconds": {
- "type": "date"
- },
- "minimum_ip_total_length": {
- "type": "long"
- },
- "minimum_layer2_total_length": {
- "type": "long"
- },
- "minimum_ttl": {
- "type": "short"
- },
- "mobile_imsi": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mobile_msisdn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "monitoring_interval_end_milli_seconds": {
- "type": "date"
- },
- "monitoring_interval_start_milli_seconds": {
- "type": "date"
- },
- "mpls_label_stack_depth": {
- "type": "long"
- },
- "mpls_label_stack_length": {
- "type": "long"
- },
- "mpls_label_stack_section": {
- "type": "short"
- },
- "mpls_label_stack_section10": {
- "type": "short"
- },
- "mpls_label_stack_section2": {
- "type": "short"
- },
- "mpls_label_stack_section3": {
- "type": "short"
- },
- "mpls_label_stack_section4": {
- "type": "short"
- },
- "mpls_label_stack_section5": {
- "type": "short"
- },
- "mpls_label_stack_section6": {
- "type": "short"
- },
- "mpls_label_stack_section7": {
- "type": "short"
- },
- "mpls_label_stack_section8": {
- "type": "short"
- },
- "mpls_label_stack_section9": {
- "type": "short"
- },
- "mpls_payload_length": {
- "type": "long"
- },
- "mpls_payload_packet_section": {
- "type": "short"
- },
- "mpls_top_label_exp": {
- "type": "short"
- },
- "mpls_top_label_ipv4_address": {
- "type": "ip"
- },
- "mpls_top_label_ipv6_address": {
- "type": "ip"
- },
- "mpls_top_label_prefix_length": {
- "type": "short"
- },
- "mpls_top_label_stack_section": {
- "type": "short"
- },
- "mpls_top_label_ttl": {
- "type": "short"
- },
- "mpls_top_label_type": {
- "type": "short"
- },
- "mpls_vpn_route_distinguisher": {
- "type": "short"
- },
- "multicast_replication_factor": {
- "type": "long"
- },
- "nat_event": {
- "type": "short"
- },
- "nat_instance_id": {
- "type": "long"
- },
- "nat_originating_address_realm": {
- "type": "short"
- },
- "nat_pool_id": {
- "type": "long"
- },
- "nat_pool_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat_quota_exceeded_event": {
- "type": "long"
- },
- "nat_threshold_event": {
- "type": "long"
- },
- "nat_type": {
- "type": "short"
- },
- "new_connection_delta_count": {
- "type": "long"
- },
- "next_header_ipv6": {
- "type": "short"
- },
- "not_sent_flow_total_count": {
- "type": "long"
- },
- "not_sent_layer2_octet_total_count": {
- "type": "long"
- },
- "not_sent_octet_total_count": {
- "type": "long"
- },
- "not_sent_packet_total_count": {
- "type": "long"
- },
- "observation_domain_id": {
- "type": "long"
- },
- "observation_domain_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "observation_point_id": {
- "type": "long"
- },
- "observation_point_type": {
- "type": "short"
- },
- "observation_time_microseconds": {
- "type": "date"
- },
- "observation_time_milliseconds": {
- "type": "date"
- },
- "observation_time_nanoseconds": {
- "type": "date"
- },
- "observation_time_seconds": {
- "type": "date"
- },
- "observed_flow_total_count": {
- "type": "long"
- },
- "octet_delta_count": {
- "type": "long"
- },
- "octet_delta_sum_of_squares": {
- "type": "long"
- },
- "octet_total_count": {
- "type": "long"
- },
- "octet_total_sum_of_squares": {
- "type": "long"
- },
- "opaque_octets": {
- "type": "short"
- },
- "original_exporter_ipv4_address": {
- "type": "ip"
- },
- "original_exporter_ipv6_address": {
- "type": "ip"
- },
- "original_flows_completed": {
- "type": "long"
- },
- "original_flows_initiated": {
- "type": "long"
- },
- "original_flows_present": {
- "type": "long"
- },
- "original_observation_domain_id": {
- "type": "long"
- },
- "p2p_technology": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packet_delta_count": {
- "type": "long"
- },
- "packet_total_count": {
- "type": "long"
- },
- "padding_octets": {
- "type": "short"
- },
- "payload_length_ipv6": {
- "type": "long"
- },
- "port_id": {
- "type": "long"
- },
- "port_range_end": {
- "type": "long"
- },
- "port_range_num_ports": {
- "type": "long"
- },
- "port_range_start": {
- "type": "long"
- },
- "port_range_step_size": {
- "type": "long"
- },
- "post_destination_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "post_dot1q_customer_vlan_id": {
- "type": "long"
- },
- "post_dot1q_vlan_id": {
- "type": "long"
- },
- "post_ip_class_of_service": {
- "type": "short"
- },
- "post_ip_diff_serv_code_point": {
- "type": "short"
- },
- "post_ip_precedence": {
- "type": "short"
- },
- "post_layer2_octet_delta_count": {
- "type": "long"
- },
- "post_layer2_octet_total_count": {
- "type": "long"
- },
- "post_mcast_layer2_octet_delta_count": {
- "type": "long"
- },
- "post_mcast_layer2_octet_total_count": {
- "type": "long"
- },
- "post_mcast_octet_delta_count": {
- "type": "long"
- },
- "post_mcast_octet_total_count": {
- "type": "long"
- },
- "post_mcast_packet_delta_count": {
- "type": "long"
- },
- "post_mcast_packet_total_count": {
- "type": "long"
- },
- "post_mpls_top_label_exp": {
- "type": "short"
- },
- "post_napt_destination_transport_port": {
- "type": "long"
- },
- "post_napt_source_transport_port": {
- "type": "long"
- },
- "post_nat_destination_ipv4_address": {
- "type": "ip"
- },
- "post_nat_destination_ipv6_address": {
- "type": "ip"
- },
- "post_nat_source_ipv4_address": {
- "type": "ip"
- },
- "post_nat_source_ipv6_address": {
- "type": "ip"
- },
- "post_octet_delta_count": {
- "type": "long"
- },
- "post_octet_total_count": {
- "type": "long"
- },
- "post_packet_delta_count": {
- "type": "long"
- },
- "post_packet_total_count": {
- "type": "long"
- },
- "post_source_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "post_vlan_id": {
- "type": "long"
- },
- "private_enterprise_number": {
- "type": "long"
- },
- "protocol_identifier": {
- "type": "short"
- },
- "pseudo_wire_control_word": {
- "type": "long"
- },
- "pseudo_wire_destination_ipv4_address": {
- "type": "ip"
- },
- "pseudo_wire_id": {
- "type": "long"
- },
- "pseudo_wire_type": {
- "type": "long"
- },
- "relative_error": {
- "type": "double"
- },
- "responder_octets": {
- "type": "long"
- },
- "responder_packets": {
- "type": "long"
- },
- "rfc3550_jitter_microseconds": {
- "type": "long"
- },
- "rfc3550_jitter_milliseconds": {
- "type": "long"
- },
- "rfc3550_jitter_nanoseconds": {
- "type": "long"
- },
- "rtp_sequence_number": {
- "type": "long"
- },
- "sampler_id": {
- "type": "short"
- },
- "sampler_mode": {
- "type": "short"
- },
- "sampler_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sampler_random_interval": {
- "type": "long"
- },
- "sampling_algorithm": {
- "type": "short"
- },
- "sampling_flow_interval": {
- "type": "long"
- },
- "sampling_flow_spacing": {
- "type": "long"
- },
- "sampling_interval": {
- "type": "long"
- },
- "sampling_packet_interval": {
- "type": "long"
- },
- "sampling_packet_space": {
- "type": "long"
- },
- "sampling_population": {
- "type": "long"
- },
- "sampling_probability": {
- "type": "double"
- },
- "sampling_size": {
- "type": "long"
- },
- "sampling_time_interval": {
- "type": "long"
- },
- "sampling_time_space": {
- "type": "long"
- },
- "section_exported_octets": {
- "type": "long"
- },
- "section_offset": {
- "type": "long"
- },
- "selection_sequence_id": {
- "type": "long"
- },
- "selector_algorithm": {
- "type": "long"
- },
- "selector_id": {
- "type": "long"
- },
- "selector_id_total_flows_observed": {
- "type": "long"
- },
- "selector_id_total_flows_selected": {
- "type": "long"
- },
- "selector_id_total_pkts_observed": {
- "type": "long"
- },
- "selector_id_total_pkts_selected": {
- "type": "long"
- },
- "selector_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "session_scope": {
- "type": "short"
- },
- "source_ipv4_address": {
- "type": "ip"
- },
- "source_ipv4_prefix": {
- "type": "ip"
- },
- "source_ipv4_prefix_length": {
- "type": "short"
- },
- "source_ipv6_address": {
- "type": "ip"
- },
- "source_ipv6_prefix": {
- "type": "ip"
- },
- "source_ipv6_prefix_length": {
- "type": "short"
- },
- "source_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source_transport_port": {
- "type": "long"
- },
- "source_transport_ports_limit": {
- "type": "long"
- },
- "src_traffic_index": {
- "type": "long"
- },
- "sta_ipv4_address": {
- "type": "ip"
- },
- "sta_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "system_init_time_milliseconds": {
- "type": "date"
- },
- "tcp_ack_total_count": {
- "type": "long"
- },
- "tcp_acknowledgement_number": {
- "type": "long"
- },
- "tcp_control_bits": {
- "type": "long"
- },
- "tcp_destination_port": {
- "type": "long"
- },
- "tcp_fin_total_count": {
- "type": "long"
- },
- "tcp_header_length": {
- "type": "short"
- },
- "tcp_options": {
- "type": "long"
- },
- "tcp_psh_total_count": {
- "type": "long"
- },
- "tcp_rst_total_count": {
- "type": "long"
- },
- "tcp_sequence_number": {
- "type": "long"
- },
- "tcp_source_port": {
- "type": "long"
- },
- "tcp_syn_total_count": {
- "type": "long"
- },
- "tcp_urg_total_count": {
- "type": "long"
- },
- "tcp_urgent_pointer": {
- "type": "long"
- },
- "tcp_window_scale": {
- "type": "long"
- },
- "tcp_window_size": {
- "type": "long"
- },
- "template_id": {
- "type": "long"
- },
- "total_length_ipv4": {
- "type": "long"
- },
- "transport_octet_delta_count": {
- "type": "long"
- },
- "transport_packet_delta_count": {
- "type": "long"
- },
- "tunnel_technology": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "udp_destination_port": {
- "type": "long"
- },
- "udp_message_length": {
- "type": "long"
- },
- "udp_source_port": {
- "type": "long"
- },
- "upper_ci_limit": {
- "type": "double"
- },
- "user_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "value_distribution_method": {
- "type": "short"
- },
- "virtual_station_interface_id": {
- "type": "short"
- },
- "virtual_station_interface_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "virtual_station_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "virtual_station_uuid": {
- "type": "short"
- },
- "vlan_id": {
- "type": "long"
- },
- "vpn_identifier": {
- "type": "short"
- },
- "vr_fname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "wlan_channel_id": {
- "type": "short"
- },
- "wlan_ssid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "wtp_mac_address": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "network": {
- "properties": {
- "application": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bytes": {
- "type": "long"
- },
- "community_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "forwarded_ip": {
- "type": "ip"
- },
- "iana_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packets": {
- "type": "long"
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "transport": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "nginx": {
- "properties": {
- "access": {
- "properties": {
- "geoip": {
- "properties": {}
- },
- "user_agent": {
- "properties": {}
- }
- }
- },
- "error": {
- "properties": {
- "connection_id": {
- "type": "long"
- }
- }
- }
- }
- },
- "object_key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "observer": {
- "properties": {
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "product": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "serial_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "organization": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "osquery": {
- "properties": {
- "result": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "calendar_time": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host_identifier": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "unix_time": {
- "type": "long"
- }
- }
- }
- }
- },
- "package": {
- "properties": {
- "architecture": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "build_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "checksum": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "install_scope": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "installed": {
- "type": "date"
- },
- "license": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "panw": {
- "properties": {
- "panos": {
- "properties": {
- "destination": {
- "properties": {
- "interface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "zone": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "file": {
- "properties": {
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "flow_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "network": {
- "properties": {
- "nat": {
- "properties": {
- "community_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "pcap_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ruleset": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sequence_number": {
- "type": "long"
- },
- "source": {
- "properties": {
- "interface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "zone": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "threat": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resource": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "url": {
- "properties": {
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- },
- "postgresql": {
- "properties": {
- "log": {
- "properties": {
- "core_id": {
- "type": "long"
- },
- "database": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "error": {
- "properties": {
- "code": {
- "type": "long"
- }
- }
- },
- "query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "query_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "query_step": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "timestamp": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "process": {
- "properties": {
- "args": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "args_count": {
- "type": "long"
- },
- "command_line": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "executable": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "exit_code": {
- "type": "long"
- },
- "hash": {
- "properties": {
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha512": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "parent": {
- "properties": {
- "args": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "args_count": {
- "type": "long"
- },
- "command_line": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "executable": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "exit_code": {
- "type": "long"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pgid": {
- "type": "long"
- },
- "pid": {
- "type": "long"
- },
- "ppid": {
- "type": "long"
- },
- "start": {
- "type": "date"
- },
- "thread": {
- "properties": {
- "id": {
- "type": "long"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "title": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uptime": {
- "type": "long"
- },
- "working_directory": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "pgid": {
- "type": "long"
- },
- "pid": {
- "type": "long"
- },
- "ppid": {
- "type": "long"
- },
- "program": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "start": {
- "type": "date"
- },
- "thread": {
- "properties": {
- "id": {
- "type": "long"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "title": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uptime": {
- "type": "long"
- },
- "working_directory": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "rabbitmq": {
- "properties": {
- "log": {
- "properties": {
- "pid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "redis": {
- "properties": {
- "log": {
- "properties": {
- "role": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "slowlog": {
- "properties": {
- "args": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "duration": {
- "properties": {
- "us": {
- "type": "long"
- }
- }
- },
- "id": {
- "type": "long"
- },
- "key": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "registry": {
- "properties": {
- "data": {
- "properties": {
- "bytes": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "strings": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hive": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "value": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "related": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "rule": {
- "properties": {
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "description": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ruleset": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "santa": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "decision": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "disk": {
- "properties": {
- "bsdname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "bus": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fs": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "model": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mount": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "serial": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "volume": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "mode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reason": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "server": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "as": {
- "properties": {
- "number": {
- "type": "long"
- },
- "organization": {
- "properties": {
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "registered_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "top_level_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "service": {
- "properties": {
- "ephemeral_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "source": {
- "properties": {
- "address": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "as": {
- "properties": {
- "number": {
- "type": "long"
- },
- "organization": {
- "properties": {
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "bytes": {
- "type": "long"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geo": {
- "properties": {
- "city_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "continent_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "location": {
- "type": "geo_point"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_iso_code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "region_name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ip": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nat": {
- "properties": {
- "ip": {
- "type": "ip"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "packets": {
- "type": "long"
- },
- "port": {
- "type": "long"
- },
- "registered_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "top_level_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "stream": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "suricata": {
- "properties": {
- "eve": {
- "properties": {
- "alert": {
- "properties": {
- "action": {
- "path": "event.outcome",
- "type": "alias"
- },
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "gid": {
- "type": "long"
- },
- "rev": {
- "type": "long"
- },
- "severity": {
- "path": "event.severity",
- "type": "alias"
- },
- "signature": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "signature_id": {
- "type": "long"
- }
- }
- },
- "app_proto": {
- "path": "network.protocol",
- "type": "alias"
- },
- "app_proto_expected": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "app_proto_orig": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "app_proto_tc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "app_proto_ts": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dest_ip": {
- "path": "destination.ip",
- "type": "alias"
- },
- "dest_port": {
- "path": "destination.port",
- "type": "alias"
- },
- "dns": {
- "properties": {
- "id": {
- "type": "long"
- },
- "rcode": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rdata": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rrname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rrtype": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ttl": {
- "type": "long"
- },
- "tx_id": {
- "type": "long"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "email": {
- "properties": {
- "status": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "event_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fileinfo": {
- "properties": {
- "filename": {
- "path": "file.path",
- "type": "alias"
- },
- "gaps": {
- "type": "boolean"
- },
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "path": "file.size",
- "type": "alias"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "stored": {
- "type": "boolean"
- },
- "tx_id": {
- "type": "long"
- }
- }
- },
- "flags": {
- "properties": {}
- },
- "flow": {
- "properties": {
- "age": {
- "type": "long"
- },
- "alerted": {
- "type": "boolean"
- },
- "bytes_toclient": {
- "path": "destination.bytes",
- "type": "alias"
- },
- "bytes_toserver": {
- "path": "source.bytes",
- "type": "alias"
- },
- "end": {
- "type": "date"
- },
- "pkts_toclient": {
- "path": "destination.packets",
- "type": "alias"
- },
- "pkts_toserver": {
- "path": "source.packets",
- "type": "alias"
- },
- "reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "start": {
- "path": "event.start",
- "type": "alias"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "flow_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http": {
- "properties": {
- "hostname": {
- "path": "url.domain",
- "type": "alias"
- },
- "http_content_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "http_method": {
- "path": "http.request.method",
- "type": "alias"
- },
- "http_refer": {
- "path": "http.request.referrer",
- "type": "alias"
- },
- "http_user_agent": {
- "path": "user_agent.original",
- "type": "alias"
- },
- "length": {
- "path": "http.response.body.bytes",
- "type": "alias"
- },
- "protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "redirect": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status": {
- "path": "http.response.status_code",
- "type": "alias"
- },
- "url": {
- "path": "url.original",
- "type": "alias"
- }
- }
- },
- "icmp_code": {
- "type": "long"
- },
- "icmp_type": {
- "type": "long"
- },
- "in_iface": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pcap_cnt": {
- "type": "long"
- },
- "proto": {
- "path": "network.transport",
- "type": "alias"
- },
- "smtp": {
- "properties": {
- "helo": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mail_from": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rcpt_to": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "src_ip": {
- "path": "source.ip",
- "type": "alias"
- },
- "src_port": {
- "path": "source.port",
- "type": "alias"
- },
- "ssh": {
- "properties": {
- "client": {
- "properties": {
- "proto_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "software_version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "server": {
- "properties": {
- "proto_version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "software_version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "stats": {
- "properties": {
- "app_layer": {
- "properties": {
- "flow": {
- "properties": {
- "dcerpc_tcp": {
- "type": "long"
- },
- "dcerpc_udp": {
- "type": "long"
- },
- "dns_tcp": {
- "type": "long"
- },
- "dns_udp": {
- "type": "long"
- },
- "failed_tcp": {
- "type": "long"
- },
- "failed_udp": {
- "type": "long"
- },
- "ftp": {
- "type": "long"
- },
- "http": {
- "type": "long"
- },
- "imap": {
- "type": "long"
- },
- "msn": {
- "type": "long"
- },
- "smb": {
- "type": "long"
- },
- "smtp": {
- "type": "long"
- },
- "ssh": {
- "type": "long"
- },
- "tls": {
- "type": "long"
- }
- }
- },
- "tx": {
- "properties": {
- "dcerpc_tcp": {
- "type": "long"
- },
- "dcerpc_udp": {
- "type": "long"
- },
- "dns_tcp": {
- "type": "long"
- },
- "dns_udp": {
- "type": "long"
- },
- "ftp": {
- "type": "long"
- },
- "http": {
- "type": "long"
- },
- "smb": {
- "type": "long"
- },
- "smtp": {
- "type": "long"
- },
- "ssh": {
- "type": "long"
- },
- "tls": {
- "type": "long"
- }
- }
- }
- }
- },
- "capture": {
- "properties": {
- "kernel_drops": {
- "type": "long"
- },
- "kernel_ifdrops": {
- "type": "long"
- },
- "kernel_packets": {
- "type": "long"
- }
- }
- },
- "decoder": {
- "properties": {
- "avg_pkt_size": {
- "type": "long"
- },
- "bytes": {
- "type": "long"
- },
- "dce": {
- "properties": {
- "pkt_too_small": {
- "type": "long"
- }
- }
- },
- "erspan": {
- "type": "long"
- },
- "ethernet": {
- "type": "long"
- },
- "gre": {
- "type": "long"
- },
- "icmpv4": {
- "type": "long"
- },
- "icmpv6": {
- "type": "long"
- },
- "ieee8021ah": {
- "type": "long"
- },
- "invalid": {
- "type": "long"
- },
- "ipraw": {
- "properties": {
- "invalid_ip_version": {
- "type": "long"
- }
- }
- },
- "ipv4": {
- "type": "long"
- },
- "ipv4_in_ipv6": {
- "type": "long"
- },
- "ipv6": {
- "type": "long"
- },
- "ipv6_in_ipv6": {
- "type": "long"
- },
- "ltnull": {
- "properties": {
- "pkt_too_small": {
- "type": "long"
- },
- "unsupported_type": {
- "type": "long"
- }
- }
- },
- "max_pkt_size": {
- "type": "long"
- },
- "mpls": {
- "type": "long"
- },
- "null": {
- "type": "long"
- },
- "pkts": {
- "type": "long"
- },
- "ppp": {
- "type": "long"
- },
- "pppoe": {
- "type": "long"
- },
- "raw": {
- "type": "long"
- },
- "sctp": {
- "type": "long"
- },
- "sll": {
- "type": "long"
- },
- "tcp": {
- "type": "long"
- },
- "teredo": {
- "type": "long"
- },
- "udp": {
- "type": "long"
- },
- "vlan": {
- "type": "long"
- },
- "vlan_qinq": {
- "type": "long"
- }
- }
- },
- "defrag": {
- "properties": {
- "ipv4": {
- "properties": {
- "fragments": {
- "type": "long"
- },
- "reassembled": {
- "type": "long"
- },
- "timeouts": {
- "type": "long"
- }
- }
- },
- "ipv6": {
- "properties": {
- "fragments": {
- "type": "long"
- },
- "reassembled": {
- "type": "long"
- },
- "timeouts": {
- "type": "long"
- }
- }
- },
- "max_frag_hits": {
- "type": "long"
- }
- }
- },
- "detect": {
- "properties": {
- "alert": {
- "type": "long"
- }
- }
- },
- "dns": {
- "properties": {
- "memcap_global": {
- "type": "long"
- },
- "memcap_state": {
- "type": "long"
- },
- "memuse": {
- "type": "long"
- }
- }
- },
- "file_store": {
- "properties": {
- "open_files": {
- "type": "long"
- }
- }
- },
- "flow": {
- "properties": {
- "emerg_mode_entered": {
- "type": "long"
- },
- "emerg_mode_over": {
- "type": "long"
- },
- "icmpv4": {
- "type": "long"
- },
- "icmpv6": {
- "type": "long"
- },
- "memcap": {
- "type": "long"
- },
- "memuse": {
- "type": "long"
- },
- "spare": {
- "type": "long"
- },
- "tcp": {
- "type": "long"
- },
- "tcp_reuse": {
- "type": "long"
- },
- "udp": {
- "type": "long"
- }
- }
- },
- "flow_mgr": {
- "properties": {
- "bypassed_pruned": {
- "type": "long"
- },
- "closed_pruned": {
- "type": "long"
- },
- "est_pruned": {
- "type": "long"
- },
- "flows_checked": {
- "type": "long"
- },
- "flows_notimeout": {
- "type": "long"
- },
- "flows_removed": {
- "type": "long"
- },
- "flows_timeout": {
- "type": "long"
- },
- "flows_timeout_inuse": {
- "type": "long"
- },
- "new_pruned": {
- "type": "long"
- },
- "rows_busy": {
- "type": "long"
- },
- "rows_checked": {
- "type": "long"
- },
- "rows_empty": {
- "type": "long"
- },
- "rows_maxlen": {
- "type": "long"
- },
- "rows_skipped": {
- "type": "long"
- }
- }
- },
- "http": {
- "properties": {
- "memcap": {
- "type": "long"
- },
- "memuse": {
- "type": "long"
- }
- }
- },
- "tcp": {
- "properties": {
- "insert_data_normal_fail": {
- "type": "long"
- },
- "insert_data_overlap_fail": {
- "type": "long"
- },
- "insert_list_fail": {
- "type": "long"
- },
- "invalid_checksum": {
- "type": "long"
- },
- "memuse": {
- "type": "long"
- },
- "no_flow": {
- "type": "long"
- },
- "overlap": {
- "type": "long"
- },
- "overlap_diff_data": {
- "type": "long"
- },
- "pseudo": {
- "type": "long"
- },
- "pseudo_failed": {
- "type": "long"
- },
- "reassembly_gap": {
- "type": "long"
- },
- "reassembly_memuse": {
- "type": "long"
- },
- "rst": {
- "type": "long"
- },
- "segment_memcap_drop": {
- "type": "long"
- },
- "sessions": {
- "type": "long"
- },
- "ssn_memcap_drop": {
- "type": "long"
- },
- "stream_depth_reached": {
- "type": "long"
- },
- "syn": {
- "type": "long"
- },
- "synack": {
- "type": "long"
- }
- }
- },
- "uptime": {
- "type": "long"
- }
- }
- },
- "tcp": {
- "properties": {
- "ack": {
- "type": "boolean"
- },
- "fin": {
- "type": "boolean"
- },
- "psh": {
- "type": "boolean"
- },
- "rst": {
- "type": "boolean"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "syn": {
- "type": "boolean"
- },
- "tcp_flags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tcp_flags_tc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tcp_flags_ts": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "timestamp": {
- "path": "@timestamp",
- "type": "alias"
- },
- "tls": {
- "properties": {
- "fingerprint": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "issuerdn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "notafter": {
- "type": "date"
- },
- "notbefore": {
- "type": "date"
- },
- "serial": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "session_resumed": {
- "type": "boolean"
- },
- "sni": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "tx_id": {
- "type": "long"
- }
- }
- }
- }
- },
- "syslog": {
- "properties": {
- "facility": {
- "type": "long"
- },
- "facility_label": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "priority": {
- "type": "long"
- },
- "severity_label": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "system": {
- "properties": {
- "auth": {
- "properties": {
- "groupadd": {
- "properties": {}
- },
- "ssh": {
- "properties": {
- "dropped_ip": {
- "type": "ip"
- },
- "event": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geoip": {
- "properties": {}
- },
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "signature": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "sudo": {
- "properties": {
- "command": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "error": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pwd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tty": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "useradd": {
- "properties": {
- "home": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "shell": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "syslog": {
- "properties": {}
- }
- }
- },
- "tags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "threat": {
- "properties": {
- "framework": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tactic": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "technique": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "timeseries": {
- "properties": {
- "instance": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "tls": {
- "properties": {
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "client": {
- "properties": {
- "certificate": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "certificate_chain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hash": {
- "properties": {
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "issuer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ja3": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "not_after": {
- "type": "date"
- },
- "not_before": {
- "type": "date"
- },
- "server_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "supported_ciphers": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "curve": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "established": {
- "type": "boolean"
- },
- "next_protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resumed": {
- "type": "boolean"
- },
- "server": {
- "properties": {
- "certificate": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "certificate_chain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hash": {
- "properties": {
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "issuer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ja3s": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "not_after": {
- "type": "date"
- },
- "not_before": {
- "type": "date"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version_protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "tracing": {
- "properties": {
- "trace": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "transaction": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "traefik": {
- "properties": {
- "access": {
- "properties": {
- "backend_url": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "frontend_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "geoip": {
- "properties": {
- "city_name": {
- "path": "source.geo.city_name",
- "type": "alias"
- },
- "continent_name": {
- "path": "source.geo.continent_name",
- "type": "alias"
- },
- "country_iso_code": {
- "path": "source.geo.country_iso_code",
- "type": "alias"
- },
- "location": {
- "path": "source.geo.location",
- "type": "alias"
- },
- "region_iso_code": {
- "path": "source.geo.region_iso_code",
- "type": "alias"
- },
- "region_name": {
- "path": "source.geo.region_name",
- "type": "alias"
- }
- }
- },
- "request_count": {
- "type": "long"
- },
- "user_agent": {
- "properties": {
- "device": {
- "path": "user_agent.device.name",
- "type": "alias"
- },
- "name": {
- "path": "user_agent.name",
- "type": "alias"
- },
- "original": {
- "path": "user_agent.original",
- "type": "alias"
- },
- "os": {
- "path": "user_agent.os.full_name",
- "type": "alias"
- },
- "os_name": {
- "path": "user_agent.os.name",
- "type": "alias"
- }
- }
- },
- "user_identifier": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "url": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "extension": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fragment": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "password": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- },
- "query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "registered_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "scheme": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "top_level_domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "username": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user": {
- "properties": {
- "audit": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "effective": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "filesystem": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "full_name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "group": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "hash": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "owner": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "saved": {
- "properties": {
- "group": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "terminal": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user_agent": {
- "properties": {
- "device": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "original": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "properties": {
- "family": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "full_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "kernel": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "platform": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "vulnerability": {
- "properties": {
- "category": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "classification": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "description": {
- "fields": {
- "text": {
- "norms": false,
- "type": "text"
- }
- },
- "ignore_above": 1024,
- "type": "keyword"
- },
- "enumeration": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reference": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "report_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "scanner": {
- "properties": {
- "vendor": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "score": {
- "properties": {
- "base": {
- "type": "float"
- },
- "environmental": {
- "type": "float"
- },
- "temporal": {
- "type": "float"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "severity": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "zeek": {
- "properties": {
- "capture_loss": {
- "properties": {
- "acks": {
- "type": "long"
- },
- "gaps": {
- "type": "long"
- },
- "peer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "percent_lost": {
- "type": "double"
- },
- "ts_delta": {
- "type": "long"
- }
- }
- },
- "connection": {
- "properties": {
- "history": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp": {
- "properties": {
- "code": {
- "type": "long"
- },
- "type": {
- "type": "long"
- }
- }
- },
- "inner_vlan": {
- "type": "long"
- },
- "local_orig": {
- "type": "boolean"
- },
- "local_resp": {
- "type": "boolean"
- },
- "missed_bytes": {
- "type": "long"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state_message": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "vlan": {
- "type": "long"
- }
- }
- },
- "dce_rpc": {
- "properties": {
- "endpoint": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "named_pipe": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "operation": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rtt": {
- "type": "long"
- }
- }
- },
- "dhcp": {
- "properties": {
- "address": {
- "properties": {
- "assigned": {
- "type": "ip"
- },
- "client": {
- "type": "ip"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "requested": {
- "type": "ip"
- },
- "server": {
- "type": "ip"
- }
- }
- },
- "client_fqdn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "duration": {
- "type": "double"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "id": {
- "properties": {
- "circuit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "remote_agent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subscriber": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "lease_time": {
- "type": "long"
- },
- "msg": {
- "properties": {
- "client": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "origin": {
- "type": "ip"
- },
- "server": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "types": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "software": {
- "properties": {
- "client": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "server": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "dnp3": {
- "properties": {
- "function": {
- "properties": {
- "reply": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "id": {
- "type": "long"
- }
- }
- },
- "dns": {
- "properties": {
- "AA": {
- "type": "boolean"
- },
- "RA": {
- "type": "boolean"
- },
- "RD": {
- "type": "boolean"
- },
- "TC": {
- "type": "boolean"
- },
- "TTLs": {
- "type": "double"
- },
- "answers": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "qclass": {
- "type": "long"
- },
- "qclass_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "qtype": {
- "type": "long"
- },
- "qtype_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "query": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rcode": {
- "type": "long"
- },
- "rcode_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rejected": {
- "type": "boolean"
- },
- "rtt": {
- "type": "double"
- },
- "saw_query": {
- "type": "boolean"
- },
- "saw_reply": {
- "type": "boolean"
- },
- "total_answers": {
- "type": "long"
- },
- "total_replies": {
- "type": "long"
- },
- "trans_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "dpd": {
- "properties": {
- "analyzer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "failure_reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "packet_segment": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "files": {
- "properties": {
- "analyzers": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "depth": {
- "type": "long"
- },
- "duration": {
- "type": "double"
- },
- "entropy": {
- "type": "double"
- },
- "extracted": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "extracted_cutoff": {
- "type": "boolean"
- },
- "extracted_size": {
- "type": "long"
- },
- "filename": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "is_orig": {
- "type": "boolean"
- },
- "local_orig": {
- "type": "boolean"
- },
- "md5": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mime_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "missing_bytes": {
- "type": "long"
- },
- "overflow_bytes": {
- "type": "long"
- },
- "parent_fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rx_host": {
- "type": "ip"
- },
- "seen_bytes": {
- "type": "long"
- },
- "session_ids": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha1": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sha256": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "timedout": {
- "type": "boolean"
- },
- "total_bytes": {
- "type": "long"
- },
- "tx_host": {
- "type": "ip"
- }
- }
- },
- "ftp": {
- "properties": {
- "arg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "capture_password": {
- "type": "boolean"
- },
- "cmdarg": {
- "properties": {
- "arg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seq": {
- "type": "long"
- }
- }
- },
- "command": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cwd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "data_channel": {
- "properties": {
- "originating_host": {
- "type": "ip"
- },
- "passive": {
- "type": "boolean"
- },
- "response_host": {
- "type": "ip"
- },
- "response_port": {
- "type": "long"
- }
- }
- },
- "file": {
- "properties": {
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mime_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- }
- }
- },
- "last_auth_requested": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "passive": {
- "type": "boolean"
- },
- "password": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "pending_commands": {
- "type": "long"
- },
- "reply": {
- "properties": {
- "code": {
- "type": "long"
- },
- "msg": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "http": {
- "properties": {
- "captured_password": {
- "type": "boolean"
- },
- "client_header_names": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "info_code": {
- "type": "long"
- },
- "info_msg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "orig_filenames": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "orig_fuids": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "orig_mime_depth": {
- "type": "long"
- },
- "orig_mime_types": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "password": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "proxied": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "range_request": {
- "type": "boolean"
- },
- "resp_filenames": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resp_fuids": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resp_mime_depth": {
- "type": "long"
- },
- "resp_mime_types": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "server_header_names": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status_msg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tags": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "trans_depth": {
- "type": "long"
- }
- }
- },
- "intel": {
- "properties": {
- "file_desc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "file_mime_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "matched": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seen": {
- "properties": {
- "conn": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "f": {
- "type": "object"
- },
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "indicator": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "indicator_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "node": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "where": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "sources": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "irc": {
- "properties": {
- "addl": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "command": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dcc": {
- "properties": {
- "file": {
- "properties": {
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- }
- }
- },
- "mime_type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "nick": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "value": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "kerberos": {
- "properties": {
- "cert": {
- "properties": {
- "client": {
- "properties": {
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "value": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "server": {
- "properties": {
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "value": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "client": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "error": {
- "properties": {
- "code": {
- "type": "long"
- },
- "msg": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "forwardable": {
- "type": "boolean"
- },
- "renewable": {
- "type": "boolean"
- },
- "request_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "success": {
- "type": "boolean"
- },
- "ticket": {
- "properties": {
- "auth": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "new": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "valid": {
- "properties": {
- "days": {
- "type": "long"
- },
- "from": {
- "type": "date"
- },
- "until": {
- "type": "date"
- }
- }
- }
- }
- },
- "modbus": {
- "properties": {
- "exception": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "function": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "track_address": {
- "type": "long"
- }
- }
- },
- "mysql": {
- "properties": {
- "arg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cmd": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "response": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "rows": {
- "type": "long"
- },
- "success": {
- "type": "boolean"
- }
- }
- },
- "notice": {
- "properties": {
- "actions": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "connection_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "dropped": {
- "type": "boolean"
- },
- "email_body_sections": {
- "norms": false,
- "type": "text"
- },
- "email_delay_tokens": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "false": {
- "type": "long"
- },
- "ffile": {
- "properties": {
- "total_bytes": {
- "type": "long"
- }
- }
- },
- "file": {
- "properties": {
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "is_orig": {
- "type": "boolean"
- },
- "mime_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "missing_bytes": {
- "type": "long"
- },
- "overflow_bytes": {
- "type": "long"
- },
- "parent_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "seen_bytes": {
- "type": "long"
- },
- "source": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "fuid": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "icmp_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "identifier": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "msg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "note": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "peer_descr": {
- "norms": false,
- "type": "text"
- },
- "peer_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "suppress_for": {
- "type": "double"
- }
- }
- },
- "ntlm": {
- "properties": {
- "domain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hostname": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "server": {
- "properties": {
- "name": {
- "properties": {
- "dns": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "netbios": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tree": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "success": {
- "type": "boolean"
- },
- "username": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "ocsp": {
- "properties": {
- "file_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "hash": {
- "properties": {
- "algorithm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "issuer": {
- "properties": {
- "key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "revoke": {
- "properties": {
- "reason": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "time": {
- "type": "date"
- }
- }
- },
- "serial_number": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "update": {
- "properties": {
- "next": {
- "type": "date"
- },
- "this": {
- "type": "date"
- }
- }
- }
- }
- },
- "pe": {
- "properties": {
- "client": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "compile_time": {
- "type": "date"
- },
- "has_cert_table": {
- "type": "boolean"
- },
- "has_debug_data": {
- "type": "boolean"
- },
- "has_export_table": {
- "type": "boolean"
- },
- "has_import_table": {
- "type": "boolean"
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "is_64bit": {
- "type": "boolean"
- },
- "is_exe": {
- "type": "boolean"
- },
- "machine": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "os": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "section_names": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subsystem": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uses_aslr": {
- "type": "boolean"
- },
- "uses_code_integrity": {
- "type": "boolean"
- },
- "uses_dep": {
- "type": "boolean"
- },
- "uses_seh": {
- "type": "boolean"
- }
- }
- },
- "radius": {
- "properties": {
- "connect_info": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "framed_addr": {
- "type": "ip"
- },
- "logged": {
- "type": "boolean"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "remote_ip": {
- "type": "ip"
- },
- "reply_msg": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "result": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ttl": {
- "type": "long"
- },
- "username": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "rdp": {
- "properties": {
- "cert": {
- "properties": {
- "count": {
- "type": "long"
- },
- "permanent": {
- "type": "boolean"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "client": {
- "properties": {
- "build": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "client_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "product_id": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "cookie": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "desktop": {
- "properties": {
- "color_depth": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "height": {
- "type": "long"
- },
- "width": {
- "type": "long"
- }
- }
- },
- "done": {
- "type": "boolean"
- },
- "encryption": {
- "properties": {
- "level": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "keyboard_layout": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "result": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "security_protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ssl": {
- "type": "boolean"
- }
- }
- },
- "rfb": {
- "properties": {
- "auth": {
- "properties": {
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "success": {
- "type": "boolean"
- }
- }
- },
- "desktop_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "height": {
- "type": "long"
- },
- "share_flag": {
- "type": "boolean"
- },
- "version": {
- "properties": {
- "client": {
- "properties": {
- "major": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "minor": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "server": {
- "properties": {
- "major": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "minor": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "width": {
- "type": "long"
- }
- }
- },
- "session_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sip": {
- "properties": {
- "call_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "content_type": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "date": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reply_to": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request": {
- "properties": {
- "body_length": {
- "type": "long"
- },
- "from": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "to": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "response": {
- "properties": {
- "body_length": {
- "type": "long"
- },
- "from": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "to": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "sequence": {
- "properties": {
- "method": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "number": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "status": {
- "properties": {
- "code": {
- "type": "long"
- },
- "msg": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "transaction_depth": {
- "type": "long"
- },
- "uri": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user_agent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "warning": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "smb_cmd": {
- "properties": {
- "argument": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "command": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "file": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host": {
- "properties": {
- "rx": {
- "type": "ip"
- },
- "tx": {
- "type": "ip"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "uid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "rtt": {
- "type": "double"
- },
- "smb1_offered_dialects": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "smb2_offered_dialects": {
- "type": "long"
- },
- "status": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "sub_command": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tree": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tree_service": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "username": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "smb_files": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fid": {
- "type": "long"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "previous_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "size": {
- "type": "long"
- },
- "times": {
- "properties": {
- "accessed": {
- "type": "date"
- },
- "changed": {
- "type": "date"
- },
- "created": {
- "type": "date"
- },
- "modified": {
- "type": "date"
- }
- }
- },
- "uuid": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "smb_mapping": {
- "properties": {
- "native_file_system": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "service": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "share_type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "smtp": {
- "properties": {
- "cc": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "date": {
- "type": "date"
- },
- "first_received": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "from": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "fuids": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "has_client_activity": {
- "type": "boolean"
- },
- "helo": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "in_reply_to": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "is_webmail": {
- "type": "boolean"
- },
- "last_reply": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mail_from": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "msg_id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "path": {
- "type": "ip"
- },
- "process_received_from": {
- "type": "boolean"
- },
- "rcpt_to": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reply_to": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "second_received": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "tls": {
- "type": "boolean"
- },
- "to": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "transaction_depth": {
- "type": "long"
- },
- "user_agent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "x_originating_ip": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "snmp": {
- "properties": {
- "community": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "display_string": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "duration": {
- "type": "double"
- },
- "get": {
- "properties": {
- "bulk_requests": {
- "type": "long"
- },
- "requests": {
- "type": "long"
- },
- "responses": {
- "type": "long"
- }
- }
- },
- "set": {
- "properties": {
- "requests": {
- "type": "long"
- }
- }
- },
- "up_since": {
- "type": "date"
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "socks": {
- "properties": {
- "bound": {
- "properties": {
- "host": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "capture_password": {
- "type": "boolean"
- },
- "password": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "request": {
- "properties": {
- "host": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "port": {
- "type": "long"
- }
- }
- },
- "status": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "user": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "type": "long"
- }
- }
- },
- "ssh": {
- "properties": {
- "algorithm": {
- "properties": {
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "compression": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host_key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "key_exchange": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "mac": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "auth": {
- "properties": {
- "attempts": {
- "type": "long"
- },
- "success": {
- "type": "boolean"
- }
- }
- },
- "client": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "direction": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "host_key": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "server": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "version": {
- "type": "long"
- }
- }
- },
- "ssl": {
- "properties": {
- "cipher": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "client": {
- "properties": {
- "cert_chain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cert_chain_fuids": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "issuer": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "locality": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organization": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organizational_unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "subject": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "locality": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organization": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organizational_unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "curve": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "established": {
- "type": "boolean"
- },
- "last_alert": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "next_protocol": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "resumed": {
- "type": "boolean"
- },
- "server": {
- "properties": {
- "cert_chain": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "cert_chain_fuids": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "issuer": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "locality": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organization": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organizational_unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "locality": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organization": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organizational_unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- },
- "validation": {
- "properties": {
- "code": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "status": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "version": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "stats": {
- "properties": {
- "bytes": {
- "properties": {
- "received": {
- "type": "long"
- }
- }
- },
- "connections": {
- "properties": {
- "icmp": {
- "properties": {
- "active": {
- "type": "long"
- },
- "count": {
- "type": "long"
- }
- }
- },
- "tcp": {
- "properties": {
- "active": {
- "type": "long"
- },
- "count": {
- "type": "long"
- }
- }
- },
- "udp": {
- "properties": {
- "active": {
- "type": "long"
- },
- "count": {
- "type": "long"
- }
- }
- }
- }
- },
- "dns_requests": {
- "properties": {
- "active": {
- "type": "long"
- },
- "count": {
- "type": "long"
- }
- }
- },
- "events": {
- "properties": {
- "processed": {
- "type": "long"
- },
- "queued": {
- "type": "long"
- }
- }
- },
- "files": {
- "properties": {
- "active": {
- "type": "long"
- },
- "count": {
- "type": "long"
- }
- }
- },
- "memory": {
- "type": "long"
- },
- "packets": {
- "properties": {
- "dropped": {
- "type": "long"
- },
- "processed": {
- "type": "long"
- },
- "received": {
- "type": "long"
- }
- }
- },
- "peer": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "reassembly_size": {
- "properties": {
- "file": {
- "type": "long"
- },
- "frag": {
- "type": "long"
- },
- "tcp": {
- "type": "long"
- },
- "unknown": {
- "type": "long"
- }
- }
- },
- "timers": {
- "properties": {
- "active": {
- "type": "long"
- },
- "count": {
- "type": "long"
- }
- }
- },
- "timestamp_lag": {
- "type": "long"
- }
- }
- },
- "syslog": {
- "properties": {
- "facility": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "message": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "severity": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "tunnel": {
- "properties": {
- "action": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "weird": {
- "properties": {
- "additional_info": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "identifier": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "notice": {
- "type": "boolean"
- },
- "peer": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "x509": {
- "properties": {
- "basic_constraints": {
- "properties": {
- "certificate_authority": {
- "type": "boolean"
- },
- "path_length": {
- "type": "long"
- }
- }
- },
- "certificate": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "curve": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "exponent": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "issuer": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "locality": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organization": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organizational_unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "key": {
- "properties": {
- "algorithm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "length": {
- "type": "long"
- },
- "type": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "serial": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "signature_algorithm": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "subject": {
- "properties": {
- "common_name": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "country": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "locality": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organization": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "organizational_unit": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "state": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- },
- "valid": {
- "properties": {
- "from": {
- "type": "date"
- },
- "until": {
- "type": "date"
- }
- }
- },
- "version": {
- "type": "long"
- }
- }
- },
- "id": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "log_cert": {
- "type": "boolean"
- },
- "san": {
- "properties": {
- "dns": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "email": {
- "ignore_above": 1024,
- "type": "keyword"
- },
- "ip": {
- "type": "ip"
- },
- "other_fields": {
- "type": "boolean"
- },
- "uri": {
- "ignore_above": 1024,
- "type": "keyword"
- }
- }
- }
- }
- }
- }
- }
- }
- },
- "order": 999,
- "settings": {
- "index": {
- "mapping": {
- "total_fields": {
- "limit": 10000
- }
- },
- "number_of_routing_shards": 30,
- "number_of_shards": 1,
- "query": {
- "default_field": [
- "message",
- "tags",
- "agent.ephemeral_id",
- "agent.id",
- "agent.name",
- "agent.type",
- "agent.version",
- "as.organization.name",
- "client.address",
- "client.as.organization.name",
- "client.domain",
- "client.geo.city_name",
- "client.geo.continent_name",
- "client.geo.country_iso_code",
- "client.geo.country_name",
- "client.geo.name",
- "client.geo.region_iso_code",
- "client.geo.region_name",
- "client.mac",
- "client.registered_domain",
- "client.top_level_domain",
- "client.user.domain",
- "client.user.email",
- "client.user.full_name",
- "client.user.group.domain",
- "client.user.group.id",
- "client.user.group.name",
- "client.user.hash",
- "client.user.id",
- "client.user.name",
- "cloud.account.id",
- "cloud.availability_zone",
- "cloud.instance.id",
- "cloud.instance.name",
- "cloud.machine.type",
- "cloud.provider",
- "cloud.region",
- "container.id",
- "container.image.name",
- "container.image.tag",
- "container.name",
- "container.runtime",
- "destination.address",
- "destination.as.organization.name",
- "destination.domain",
- "destination.geo.city_name",
- "destination.geo.continent_name",
- "destination.geo.country_iso_code",
- "destination.geo.country_name",
- "destination.geo.name",
- "destination.geo.region_iso_code",
- "destination.geo.region_name",
- "destination.mac",
- "destination.registered_domain",
- "destination.top_level_domain",
- "destination.user.domain",
- "destination.user.email",
- "destination.user.full_name",
- "destination.user.group.domain",
- "destination.user.group.id",
- "destination.user.group.name",
- "destination.user.hash",
- "destination.user.id",
- "destination.user.name",
- "dns.answers.class",
- "dns.answers.data",
- "dns.answers.name",
- "dns.answers.type",
- "dns.header_flags",
- "dns.id",
- "dns.op_code",
- "dns.question.class",
- "dns.question.name",
- "dns.question.registered_domain",
- "dns.question.subdomain",
- "dns.question.top_level_domain",
- "dns.question.type",
- "dns.response_code",
- "dns.type",
- "ecs.version",
- "error.code",
- "error.id",
- "error.message",
- "error.stack_trace",
- "error.type",
- "event.action",
- "event.category",
- "event.code",
- "event.dataset",
- "event.hash",
- "event.id",
- "event.kind",
- "event.module",
- "event.original",
- "event.outcome",
- "event.provider",
- "event.timezone",
- "event.type",
- "file.device",
- "file.directory",
- "file.extension",
- "file.gid",
- "file.group",
- "file.hash.md5",
- "file.hash.sha1",
- "file.hash.sha256",
- "file.hash.sha512",
- "file.inode",
- "file.mode",
- "file.name",
- "file.owner",
- "file.path",
- "file.target_path",
- "file.type",
- "file.uid",
- "geo.city_name",
- "geo.continent_name",
- "geo.country_iso_code",
- "geo.country_name",
- "geo.name",
- "geo.region_iso_code",
- "geo.region_name",
- "group.domain",
- "group.id",
- "group.name",
- "hash.md5",
- "hash.sha1",
- "hash.sha256",
- "hash.sha512",
- "host.architecture",
- "host.geo.city_name",
- "host.geo.continent_name",
- "host.geo.country_iso_code",
- "host.geo.country_name",
- "host.geo.name",
- "host.geo.region_iso_code",
- "host.geo.region_name",
- "host.hostname",
- "host.id",
- "host.mac",
- "host.name",
- "host.os.family",
- "host.os.full",
- "host.os.kernel",
- "host.os.name",
- "host.os.platform",
- "host.os.version",
- "host.type",
- "host.user.domain",
- "host.user.email",
- "host.user.full_name",
- "host.user.group.domain",
- "host.user.group.id",
- "host.user.group.name",
- "host.user.hash",
- "host.user.id",
- "host.user.name",
- "http.request.body.content",
- "http.request.method",
- "http.request.referrer",
- "http.response.body.content",
- "http.version",
- "log.level",
- "log.logger",
- "log.origin.file.name",
- "log.origin.function",
- "log.original",
- "log.syslog.facility.name",
- "log.syslog.severity.name",
- "network.application",
- "network.community_id",
- "network.direction",
- "network.iana_number",
- "network.name",
- "network.protocol",
- "network.transport",
- "network.type",
- "observer.geo.city_name",
- "observer.geo.continent_name",
- "observer.geo.country_iso_code",
- "observer.geo.country_name",
- "observer.geo.name",
- "observer.geo.region_iso_code",
- "observer.geo.region_name",
- "observer.hostname",
- "observer.mac",
- "observer.name",
- "observer.os.family",
- "observer.os.full",
- "observer.os.kernel",
- "observer.os.name",
- "observer.os.platform",
- "observer.os.version",
- "observer.product",
- "observer.serial_number",
- "observer.type",
- "observer.vendor",
- "observer.version",
- "organization.id",
- "organization.name",
- "os.family",
- "os.full",
- "os.kernel",
- "os.name",
- "os.platform",
- "os.version",
- "package.architecture",
- "package.checksum",
- "package.description",
- "package.install_scope",
- "package.license",
- "package.name",
- "package.path",
- "package.version",
- "process.args",
- "text",
- "process.executable",
- "process.hash.md5",
- "process.hash.sha1",
- "process.hash.sha256",
- "process.hash.sha512",
- "process.name",
- "text",
- "text",
- "text",
- "text",
- "text",
- "process.thread.name",
- "process.title",
- "process.working_directory",
- "server.address",
- "server.as.organization.name",
- "server.domain",
- "server.geo.city_name",
- "server.geo.continent_name",
- "server.geo.country_iso_code",
- "server.geo.country_name",
- "server.geo.name",
- "server.geo.region_iso_code",
- "server.geo.region_name",
- "server.mac",
- "server.registered_domain",
- "server.top_level_domain",
- "server.user.domain",
- "server.user.email",
- "server.user.full_name",
- "server.user.group.domain",
- "server.user.group.id",
- "server.user.group.name",
- "server.user.hash",
- "server.user.id",
- "server.user.name",
- "service.ephemeral_id",
- "service.id",
- "service.name",
- "service.node.name",
- "service.state",
- "service.type",
- "service.version",
- "source.address",
- "source.as.organization.name",
- "source.domain",
- "source.geo.city_name",
- "source.geo.continent_name",
- "source.geo.country_iso_code",
- "source.geo.country_name",
- "source.geo.name",
- "source.geo.region_iso_code",
- "source.geo.region_name",
- "source.mac",
- "source.registered_domain",
- "source.top_level_domain",
- "source.user.domain",
- "source.user.email",
- "source.user.full_name",
- "source.user.group.domain",
- "source.user.group.id",
- "source.user.group.name",
- "source.user.hash",
- "source.user.id",
- "source.user.name",
- "threat.framework",
- "threat.tactic.id",
- "threat.tactic.name",
- "threat.tactic.reference",
- "threat.technique.id",
- "threat.technique.name",
- "threat.technique.reference",
- "tracing.trace.id",
- "tracing.transaction.id",
- "url.domain",
- "url.extension",
- "url.fragment",
- "url.full",
- "url.original",
- "url.password",
- "url.path",
- "url.query",
- "url.registered_domain",
- "url.scheme",
- "url.top_level_domain",
- "url.username",
- "user.domain",
- "user.email",
- "user.full_name",
- "user.group.domain",
- "user.group.id",
- "user.group.name",
- "user.hash",
- "user.id",
- "user.name",
- "user_agent.device.name",
- "user_agent.name",
- "text",
- "user_agent.original",
- "user_agent.os.family",
- "user_agent.os.full",
- "user_agent.os.kernel",
- "user_agent.os.name",
- "user_agent.os.platform",
- "user_agent.os.version",
- "user_agent.version",
- "text",
- "agent.hostname",
- "timeseries.instance",
- "cloud.project.id",
- "cloud.image.id",
- "host.os.build",
- "host.os.codename",
- "kubernetes.pod.name",
- "kubernetes.pod.uid",
- "kubernetes.namespace",
- "kubernetes.node.name",
- "kubernetes.replicaset.name",
- "kubernetes.deployment.name",
- "kubernetes.statefulset.name",
- "kubernetes.container.name",
- "kubernetes.container.image",
- "jolokia.agent.version",
- "jolokia.agent.id",
- "jolokia.server.product",
- "jolokia.server.version",
- "jolokia.server.vendor",
- "jolokia.url",
- "log.file.path",
- "log.source.address",
- "stream",
- "input.type",
- "syslog.severity_label",
- "syslog.facility_label",
- "process.program",
- "log.flags",
- "user_agent.os.full_name",
- "fileset.name",
- "icmp.code",
- "icmp.type",
- "igmp.type",
- "azure.eventhub",
- "azure.consumer_group",
- "kafka.topic",
- "kafka.key",
- "activemq.caller",
- "activemq.thread",
- "activemq.user",
- "activemq.log.stack_trace",
- "apache.access.ssl.protocol",
- "apache.access.ssl.cipher",
- "apache.error.module",
- "user.terminal",
- "user.audit.id",
- "user.audit.name",
- "user.audit.group.id",
- "user.audit.group.name",
- "user.effective.id",
- "user.effective.name",
- "user.effective.group.id",
- "user.effective.group.name",
- "user.filesystem.id",
- "user.filesystem.name",
- "user.filesystem.group.id",
- "user.filesystem.group.name",
- "user.owner.id",
- "user.owner.name",
- "user.owner.group.id",
- "user.owner.group.name",
- "user.saved.id",
- "user.saved.name",
- "user.saved.group.id",
- "user.saved.group.name",
- "auditd.log.old_auid",
- "auditd.log.new_auid",
- "auditd.log.old_ses",
- "auditd.log.new_ses",
- "auditd.log.items",
- "auditd.log.item",
- "auditd.log.tty",
- "auditd.log.a0",
- "aws.elb.name",
- "aws.elb.type",
- "aws.elb.target_group.arn",
- "aws.elb.listener",
- "aws.elb.protocol",
- "aws.elb.backend.ip",
- "aws.elb.backend.port",
- "aws.elb.backend.http.response.status_code",
- "aws.elb.ssl_cipher",
- "aws.elb.ssl_protocol",
- "aws.elb.chosen_cert.arn",
- "aws.elb.chosen_cert.serial",
- "aws.elb.incoming_tls_alert",
- "aws.elb.tls_named_group",
- "aws.elb.trace_id",
- "aws.elb.matched_rule_priority",
- "aws.elb.action_executed",
- "aws.elb.redirect_url",
- "aws.elb.error.reason",
- "aws.s3access.bucket_owner",
- "aws.s3access.bucket",
- "aws.s3access.requester",
- "aws.s3access.request_id",
- "aws.s3access.operation",
- "aws.s3access.key",
- "aws.s3access.request_uri",
- "aws.s3access.error_code",
- "aws.s3access.referrer",
- "aws.s3access.user_agent",
- "aws.s3access.version_id",
- "aws.s3access.host_id",
- "aws.s3access.signature_version",
- "aws.s3access.cipher_suite",
- "aws.s3access.authentication_type",
- "aws.s3access.host_header",
- "aws.s3access.tls_version",
- "aws.vpcflow.version",
- "aws.vpcflow.account_id",
- "aws.vpcflow.interface_id",
- "aws.vpcflow.action",
- "aws.vpcflow.log_status",
- "aws.vpcflow.instance_id",
- "aws.vpcflow.vpc_id",
- "aws.vpcflow.subnet_id",
- "aws.vpcflow.tcp_flags",
- "aws.vpcflow.type",
- "azure.subscription_id",
- "azure.correlation_id",
- "azure.tenant_id",
- "azure.resource.id",
- "azure.resource.group",
- "azure.resource.provider",
- "azure.resource.namespace",
- "azure.resource.name",
- "azure.resource.authorization_rule",
- "azure.activitylogs.identity.claims_initiated_by_user.name",
- "azure.activitylogs.identity.claims_initiated_by_user.givenname",
- "azure.activitylogs.identity.claims_initiated_by_user.surname",
- "azure.activitylogs.identity.claims_initiated_by_user.fullname",
- "azure.activitylogs.identity.claims_initiated_by_user.schema",
- "azure.activitylogs.identity.authorization.scope",
- "azure.activitylogs.identity.authorization.action",
- "azure.activitylogs.identity.authorization.evidence.role_assignment_scope",
- "azure.activitylogs.identity.authorization.evidence.role_definition_id",
- "azure.activitylogs.identity.authorization.evidence.role",
- "azure.activitylogs.identity.authorization.evidence.role_assignment_id",
- "azure.activitylogs.identity.authorization.evidence.principal_id",
- "azure.activitylogs.identity.authorization.evidence.principal_type",
- "azure.activitylogs.operation_name",
- "azure.activitylogs.result_signature",
- "azure.activitylogs.category",
- "azure.activitylogs.properties.service_request_id",
- "azure.activitylogs.properties.status_code",
- "azure.auditlogs.operation_name",
- "azure.auditlogs.operation_version",
- "azure.auditlogs.identity",
- "azure.auditlogs.tenant_id",
- "azure.auditlogs.result_signature",
- "azure.auditlogs.properties.result",
- "azure.auditlogs.properties.activity_display_name",
- "azure.auditlogs.properties.result_reason",
- "azure.auditlogs.properties.correlation_id",
- "azure.auditlogs.properties.logged_by_service",
- "azure.auditlogs.properties.operation_type",
- "azure.auditlogs.properties.id",
- "azure.auditlogs.properties.category",
- "azure.auditlogs.properties.target_resources.*.display_name",
- "azure.auditlogs.properties.target_resources.*.id",
- "azure.auditlogs.properties.target_resources.*.type",
- "azure.auditlogs.properties.target_resources.*.ip_address",
- "azure.auditlogs.properties.target_resources.*.user_principal_name",
- "azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value",
- "azure.auditlogs.properties.target_resources.*.modified_properties.*.display_name",
- "azure.auditlogs.properties.target_resources.*.modified_properties.*.old_value",
- "azure.auditlogs.properties.initiated_by.app.servicePrincipalName",
- "azure.auditlogs.properties.initiated_by.app.displayName",
- "azure.auditlogs.properties.initiated_by.app.appId",
- "azure.auditlogs.properties.initiated_by.app.servicePrincipalId",
- "azure.auditlogs.properties.initiated_by.user.userPrincipalName",
- "azure.auditlogs.properties.initiated_by.user.displayName",
- "azure.auditlogs.properties.initiated_by.user.id",
- "azure.auditlogs.properties.initiated_by.user.ipAddress",
- "azure.signinlogs.operation_name",
- "azure.signinlogs.operation_version",
- "azure.signinlogs.tenant_id",
- "azure.signinlogs.result_signature",
- "azure.signinlogs.result_description",
- "azure.signinlogs.identity",
- "azure.signinlogs.properties.id",
- "azure.signinlogs.properties.user_display_name",
- "azure.signinlogs.properties.correlation_id",
- "azure.signinlogs.properties.user_principal_name",
- "azure.signinlogs.properties.user_id",
- "azure.signinlogs.properties.app_id",
- "azure.signinlogs.properties.app_display_name",
- "azure.signinlogs.properties.ip_address",
- "azure.signinlogs.properties.client_app_used",
- "azure.signinlogs.properties.conditional_access_status",
- "azure.signinlogs.properties.original_request_id",
- "azure.signinlogs.properties.is_interactive",
- "azure.signinlogs.properties.token_issuer_name",
- "azure.signinlogs.properties.token_issuer_type",
- "azure.signinlogs.properties.risk_detail",
- "azure.signinlogs.properties.risk_level_aggregated",
- "azure.signinlogs.properties.risk_level_during_signin",
- "azure.signinlogs.properties.risk_state",
- "azure.signinlogs.properties.resource_display_name",
- "azure.signinlogs.properties.status.error_code",
- "azure.signinlogs.properties.device_detail.device_id",
- "azure.signinlogs.properties.device_detail.operating_system",
- "azure.signinlogs.properties.device_detail.browser",
- "azure.signinlogs.properties.device_detail.display_name",
- "azure.signinlogs.properties.device_detail.trust_type",
- "azure.signinlogs.properties.service_principal_id",
- "cisco.asa.message_id",
- "cisco.asa.suffix",
- "cisco.asa.source_interface",
- "cisco.asa.destination_interface",
- "cisco.asa.rule_name",
- "cisco.asa.source_username",
- "cisco.asa.destination_username",
- "cisco.asa.threat_level",
- "cisco.asa.threat_category",
- "cisco.asa.connection_id",
- "cisco.ftd.message_id",
- "cisco.ftd.suffix",
- "cisco.ftd.source_interface",
- "cisco.ftd.destination_interface",
- "cisco.ftd.rule_name",
- "cisco.ftd.source_username",
- "cisco.ftd.destination_username",
- "cisco.ftd.threat_level",
- "cisco.ftd.threat_category",
- "cisco.ftd.connection_id",
- "cisco.ios.access_list",
- "cisco.ios.facility",
- "coredns.id",
- "coredns.query.class",
- "coredns.query.name",
- "coredns.query.type",
- "coredns.response.code",
- "coredns.response.flags",
- "cef.version",
- "cef.device.vendor",
- "cef.device.product",
- "cef.device.version",
- "cef.device.event_class_id",
- "cef.severity",
- "cef.name",
- "source.service.name",
- "destination.service.name",
- "elasticsearch.component",
- "elasticsearch.cluster.uuid",
- "elasticsearch.cluster.name",
- "elasticsearch.node.id",
- "elasticsearch.node.name",
- "elasticsearch.index.name",
- "elasticsearch.index.id",
- "elasticsearch.shard.id",
- "elasticsearch.audit.layer",
- "elasticsearch.audit.event_type",
- "elasticsearch.audit.origin.type",
- "elasticsearch.audit.realm",
- "elasticsearch.audit.user.realm",
- "elasticsearch.audit.user.roles",
- "elasticsearch.audit.action",
- "elasticsearch.audit.url.params",
- "elasticsearch.audit.indices",
- "elasticsearch.audit.request.id",
- "elasticsearch.audit.request.name",
- "elasticsearch.audit.message",
- "elasticsearch.gc.phase.name",
- "elasticsearch.gc.tags",
- "elasticsearch.slowlog.logger",
- "elasticsearch.slowlog.took",
- "elasticsearch.slowlog.types",
- "elasticsearch.slowlog.stats",
- "elasticsearch.slowlog.search_type",
- "elasticsearch.slowlog.source_query",
- "elasticsearch.slowlog.extra_source",
- "elasticsearch.slowlog.total_hits",
- "elasticsearch.slowlog.total_shards",
- "elasticsearch.slowlog.routing",
- "elasticsearch.slowlog.id",
- "elasticsearch.slowlog.type",
- "elasticsearch.slowlog.source",
- "envoyproxy.log_type",
- "envoyproxy.response_flags",
- "envoyproxy.request_id",
- "envoyproxy.authority",
- "envoyproxy.proxy_type",
- "googlecloud.destination.instance.project_id",
- "googlecloud.destination.instance.region",
- "googlecloud.destination.instance.zone",
- "googlecloud.destination.vpc.project_id",
- "googlecloud.destination.vpc.vpc_name",
- "googlecloud.destination.vpc.subnetwork_name",
- "googlecloud.source.instance.project_id",
- "googlecloud.source.instance.region",
- "googlecloud.source.instance.zone",
- "googlecloud.source.vpc.project_id",
- "googlecloud.source.vpc.vpc_name",
- "googlecloud.source.vpc.subnetwork_name",
- "googlecloud.audit.type",
- "googlecloud.audit.authentication_info.principal_email",
- "googlecloud.audit.authentication_info.authority_selector",
- "googlecloud.audit.method_name",
- "googlecloud.audit.request.proto_name",
- "googlecloud.audit.request.filter",
- "googlecloud.audit.request.name",
- "googlecloud.audit.request.resource_name",
- "googlecloud.audit.request_metadata.caller_supplied_user_agent",
- "googlecloud.audit.resource_name",
- "googlecloud.audit.resource_location.current_locations",
- "googlecloud.audit.service_name",
- "googlecloud.audit.status.message",
- "googlecloud.firewall.rule_details.action",
- "googlecloud.firewall.rule_details.direction",
- "googlecloud.firewall.rule_details.reference",
- "googlecloud.firewall.rule_details.source_range",
- "googlecloud.firewall.rule_details.destination_range",
- "googlecloud.firewall.rule_details.source_tag",
- "googlecloud.firewall.rule_details.target_tag",
- "googlecloud.firewall.rule_details.source_service_account",
- "googlecloud.firewall.rule_details.target_service_account",
- "googlecloud.vpcflow.reporter",
- "haproxy.frontend_name",
- "haproxy.backend_name",
- "haproxy.server_name",
- "haproxy.bind_name",
- "haproxy.error_message",
- "haproxy.source",
- "haproxy.termination_state",
- "haproxy.mode",
- "haproxy.http.response.captured_cookie",
- "haproxy.http.response.captured_headers",
- "haproxy.http.request.captured_cookie",
- "haproxy.http.request.captured_headers",
- "haproxy.http.request.raw_request_line",
- "ibmmq.errorlog.installation",
- "ibmmq.errorlog.qmgr",
- "ibmmq.errorlog.arithinsert",
- "ibmmq.errorlog.commentinsert",
- "ibmmq.errorlog.errordescription",
- "ibmmq.errorlog.explanation",
- "ibmmq.errorlog.action",
- "ibmmq.errorlog.code",
- "icinga.debug.facility",
- "icinga.main.facility",
- "icinga.startup.facility",
- "iis.access.site_name",
- "iis.access.server_name",
- "iis.access.cookie",
- "iis.error.reason_phrase",
- "iis.error.queue_name",
- "iptables.fragment_flags",
- "iptables.input_device",
- "iptables.output_device",
- "iptables.tcp.flags",
- "iptables.ubiquiti.input_zone",
- "iptables.ubiquiti.output_zone",
- "iptables.ubiquiti.rule_number",
- "iptables.ubiquiti.rule_set",
- "kafka.log.component",
- "kafka.log.class",
- "kafka.log.trace.class",
- "kafka.log.trace.message",
- "kibana.log.tags",
- "kibana.log.state",
- "logstash.log.module",
- "text",
- "logstash.log.thread",
- "logstash.log.pipeline_id",
- "logstash.slowlog.module",
- "text",
- "logstash.slowlog.thread",
- "text",
- "logstash.slowlog.event",
- "logstash.slowlog.plugin_name",
- "logstash.slowlog.plugin_type",
- "text",
- "logstash.slowlog.plugin_params",
- "misp.attack_pattern.id",
- "misp.attack_pattern.name",
- "misp.attack_pattern.description",
- "misp.attack_pattern.kill_chain_phases",
- "misp.campaign.id",
- "misp.campaign.name",
- "misp.campaign.description",
- "misp.campaign.aliases",
- "misp.campaign.objective",
- "misp.course_of_action.id",
- "misp.course_of_action.name",
- "misp.course_of_action.description",
- "misp.identity.id",
- "misp.identity.name",
- "misp.identity.description",
- "misp.identity.identity_class",
- "misp.identity.labels",
- "misp.identity.sectors",
- "misp.identity.contact_information",
- "misp.intrusion_set.id",
- "misp.intrusion_set.name",
- "misp.intrusion_set.description",
- "misp.intrusion_set.aliases",
- "misp.intrusion_set.goals",
- "misp.intrusion_set.resource_level",
- "misp.intrusion_set.primary_motivation",
- "misp.intrusion_set.secondary_motivations",
- "misp.malware.id",
- "misp.malware.name",
- "misp.malware.description",
- "misp.malware.labels",
- "misp.malware.kill_chain_phases",
- "misp.note.id",
- "misp.note.summary",
- "misp.note.description",
- "misp.note.authors",
- "misp.note.object_refs",
- "misp.threat_indicator.labels",
- "misp.threat_indicator.id",
- "misp.threat_indicator.version",
- "misp.threat_indicator.type",
- "misp.threat_indicator.description",
- "misp.threat_indicator.feed",
- "misp.threat_indicator.severity",
- "misp.threat_indicator.confidence",
- "misp.threat_indicator.kill_chain_phases",
- "misp.threat_indicator.mitre_tactic",
- "misp.threat_indicator.mitre_technique",
- "misp.threat_indicator.attack_pattern",
- "misp.threat_indicator.attack_pattern_kql",
- "misp.threat_indicator.intrusion_set",
- "misp.threat_indicator.campaign",
- "misp.threat_indicator.threat_actor",
- "misp.observed_data.id",
- "misp.observed_data.objects",
- "misp.report.id",
- "misp.report.labels",
- "misp.report.name",
- "misp.report.description",
- "misp.report.object_refs",
- "misp.threat_actor.id",
- "misp.threat_actor.labels",
- "misp.threat_actor.name",
- "misp.threat_actor.description",
- "misp.threat_actor.aliases",
- "misp.threat_actor.roles",
- "misp.threat_actor.goals",
- "misp.threat_actor.sophistication",
- "misp.threat_actor.resource_level",
- "misp.threat_actor.primary_motivation",
- "misp.threat_actor.secondary_motivations",
- "misp.threat_actor.personal_motivations",
- "misp.tool.id",
- "misp.tool.labels",
- "misp.tool.name",
- "misp.tool.description",
- "misp.tool.tool_version",
- "misp.tool.kill_chain_phases",
- "misp.vulnerability.id",
- "misp.vulnerability.name",
- "misp.vulnerability.description",
- "mongodb.log.component",
- "mongodb.log.context",
- "mssql.log.origin",
- "mysql.slowlog.query",
- "mysql.slowlog.schema",
- "mysql.slowlog.current_user",
- "mysql.slowlog.last_errno",
- "mysql.slowlog.killed",
- "mysql.slowlog.log_slow_rate_type",
- "mysql.slowlog.log_slow_rate_limit",
- "mysql.slowlog.innodb.trx_id",
- "nats.log.msg.type",
- "nats.log.msg.subject",
- "nats.log.msg.reply_to",
- "nats.log.msg.error.message",
- "nats.log.msg.queue_group",
- "netflow.type",
- "netflow.exporter.address",
- "netflow.source_mac_address",
- "netflow.post_destination_mac_address",
- "netflow.destination_mac_address",
- "netflow.post_source_mac_address",
- "netflow.interface_name",
- "netflow.interface_description",
- "netflow.sampler_name",
- "netflow.application_description",
- "netflow.application_name",
- "netflow.class_name",
- "netflow.wlan_ssid",
- "netflow.vr_fname",
- "netflow.metro_evc_id",
- "netflow.nat_pool_name",
- "netflow.p2p_technology",
- "netflow.tunnel_technology",
- "netflow.encrypted_technology",
- "netflow.observation_domain_name",
- "netflow.selector_name",
- "netflow.information_element_description",
- "netflow.information_element_name",
- "netflow.virtual_station_interface_name",
- "netflow.virtual_station_name",
- "netflow.sta_mac_address",
- "netflow.wtp_mac_address",
- "netflow.user_name",
- "netflow.application_category_name",
- "netflow.application_sub_category_name",
- "netflow.application_group_name",
- "netflow.dot1q_customer_source_mac_address",
- "netflow.dot1q_customer_destination_mac_address",
- "netflow.mib_context_name",
- "netflow.mib_object_name",
- "netflow.mib_object_description",
- "netflow.mib_object_syntax",
- "netflow.mib_module_name",
- "netflow.mobile_imsi",
- "netflow.mobile_msisdn",
- "netflow.http_request_method",
- "netflow.http_request_host",
- "netflow.http_request_target",
- "netflow.http_message_version",
- "netflow.http_user_agent",
- "netflow.http_content_type",
- "netflow.http_reason_phrase",
- "osquery.result.name",
- "osquery.result.action",
- "osquery.result.host_identifier",
- "osquery.result.calendar_time",
- "panw.panos.ruleset",
- "panw.panos.source.zone",
- "panw.panos.source.interface",
- "panw.panos.destination.zone",
- "panw.panos.destination.interface",
- "panw.panos.network.pcap_id",
- "panw.panos.network.nat.community_id",
- "panw.panos.file.hash",
- "panw.panos.url.category",
- "panw.panos.flow_id",
- "panw.panos.threat.resource",
- "panw.panos.threat.id",
- "panw.panos.threat.name",
- "postgresql.log.timestamp",
- "postgresql.log.database",
- "postgresql.log.query",
- "postgresql.log.query_step",
- "postgresql.log.query_name",
- "rabbitmq.log.pid",
- "redis.log.role",
- "redis.slowlog.cmd",
- "redis.slowlog.key",
- "redis.slowlog.args",
- "bucket_name",
- "object_key",
- "santa.action",
- "santa.decision",
- "santa.reason",
- "santa.mode",
- "santa.disk.volume",
- "santa.disk.bus",
- "santa.disk.serial",
- "santa.disk.bsdname",
- "santa.disk.model",
- "santa.disk.fs",
- "santa.disk.mount",
- "certificate.common_name",
- "certificate.sha256",
- "suricata.eve.event_type",
- "suricata.eve.app_proto_orig",
- "suricata.eve.tcp.tcp_flags",
- "suricata.eve.tcp.tcp_flags_tc",
- "suricata.eve.tcp.state",
- "suricata.eve.tcp.tcp_flags_ts",
- "suricata.eve.fileinfo.sha1",
- "suricata.eve.fileinfo.state",
- "suricata.eve.fileinfo.sha256",
- "suricata.eve.fileinfo.md5",
- "suricata.eve.dns.type",
- "suricata.eve.dns.rrtype",
- "suricata.eve.dns.rrname",
- "suricata.eve.dns.rdata",
- "suricata.eve.dns.rcode",
- "suricata.eve.flow_id",
- "suricata.eve.email.status",
- "suricata.eve.http.redirect",
- "suricata.eve.http.protocol",
- "suricata.eve.http.http_content_type",
- "suricata.eve.in_iface",
- "suricata.eve.alert.category",
- "suricata.eve.alert.signature",
- "suricata.eve.ssh.client.proto_version",
- "suricata.eve.ssh.client.software_version",
- "suricata.eve.ssh.server.proto_version",
- "suricata.eve.ssh.server.software_version",
- "suricata.eve.tls.issuerdn",
- "suricata.eve.tls.sni",
- "suricata.eve.tls.version",
- "suricata.eve.tls.fingerprint",
- "suricata.eve.tls.serial",
- "suricata.eve.tls.subject",
- "suricata.eve.app_proto_ts",
- "suricata.eve.flow.state",
- "suricata.eve.flow.reason",
- "suricata.eve.app_proto_tc",
- "suricata.eve.smtp.rcpt_to",
- "suricata.eve.smtp.mail_from",
- "suricata.eve.smtp.helo",
- "suricata.eve.app_proto_expected",
- "system.auth.ssh.method",
- "system.auth.ssh.signature",
- "system.auth.ssh.event",
- "system.auth.sudo.error",
- "system.auth.sudo.tty",
- "system.auth.sudo.pwd",
- "system.auth.sudo.user",
- "system.auth.sudo.command",
- "system.auth.useradd.home",
- "system.auth.useradd.shell",
- "traefik.access.user_identifier",
- "traefik.access.frontend_name",
- "traefik.access.backend_url",
- "zeek.session_id",
- "zeek.capture_loss.peer",
- "zeek.dns.trans_id",
- "zeek.dns.query",
- "zeek.dns.qclass_name",
- "zeek.dns.qtype_name",
- "zeek.dns.rcode_name",
- "zeek.dns.answers",
- "zeek.files.fuid",
- "zeek.files.session_ids",
- "zeek.files.source",
- "zeek.files.analyzers",
- "zeek.files.mime_type",
- "zeek.files.filename",
- "zeek.files.parent_fuid",
- "zeek.files.md5",
- "zeek.files.sha1",
- "zeek.files.sha256",
- "zeek.files.extracted",
- "zeek.http.status_msg",
- "zeek.http.info_msg",
- "zeek.http.tags",
- "zeek.http.password",
- "zeek.http.proxied",
- "zeek.http.client_header_names",
- "zeek.http.server_header_names",
- "zeek.http.orig_fuids",
- "zeek.http.orig_mime_types",
- "zeek.http.orig_filenames",
- "zeek.http.resp_fuids",
- "zeek.http.resp_mime_types",
- "zeek.http.resp_filenames",
- "zeek.notice.connection_id",
- "zeek.notice.icmp_id",
- "zeek.notice.file.id",
- "zeek.notice.file.parent_id",
- "zeek.notice.file.source",
- "zeek.notice.file.mime_type",
- "zeek.notice.fuid",
- "zeek.notice.note",
- "zeek.notice.msg",
- "zeek.notice.sub",
- "zeek.notice.peer_name",
- "zeek.notice.peer_descr",
- "zeek.notice.actions",
- "zeek.notice.email_body_sections",
- "zeek.notice.email_delay_tokens",
- "zeek.notice.identifier",
- "fields.*"
- ]
- },
- "refresh_interval": "15s"
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement