wazuh-template.json

1. {
2. "order": 0,
3. "index_patterns": [
4. "wazuh-alerts-4.x-*",
5. "wazuh-archives-4.x-*"
6. ],
7. "settings": {
8. "index.refresh_interval": "5s",
9. "index.number_of_shards": "1",
10. "index.number_of_replicas": "0",
11. "index.auto_expand_replicas": "0-1",
12. "index.mapping.total_fields.limit": 10000,
13. "index.query.default_field": [
14. "GeoLocation.city_name",
15. "GeoLocation.continent_code",
16. "GeoLocation.country_code2",
17. "GeoLocation.country_code3",
18. "GeoLocation.country_name",
19. "GeoLocation.ip",
20. "GeoLocation.postal_code",
21. "GeoLocation.real_region_name",
22. "GeoLocation.region_name",
23. "GeoLocation.timezone",
24. "agent.id",
25. "agent.ip",
26. "agent.name",
27. "cluster.name",
28. "cluster.node",
29. "command",
30. "data",
31. "data.action",
32. "data.audit",
33. "data.audit.acct",
34. "data.audit.arch",
35. "data.audit.auid",
36. "data.audit.command",
37. "data.audit.cwd",
38. "data.audit.dev",
39. "data.audit.directory.inode",
40. "data.audit.directory.mode",
41. "data.audit.directory.name",
42. "data.audit.egid",
43. "data.audit.enforcing",
44. "data.audit.euid",
45. "data.audit.exe",
46. "data.audit.execve.a0",
47. "data.audit.execve.a1",
48. "data.audit.execve.a2",
49. "data.audit.execve.a3",
50. "data.audit.exit",
51. "data.audit.file.inode",
52. "data.audit.file.mode",
53. "data.audit.file.name",
54. "data.audit.fsgid",
55. "data.audit.fsuid",
56. "data.audit.gid",
57. "data.audit.id",
58. "data.audit.key",
59. "data.audit.list",
60. "data.audit.old-auid",
61. "data.audit.old-ses",
62. "data.audit.old_enforcing",
63. "data.audit.old_prom",
64. "data.audit.op",
65. "data.audit.pid",
66. "data.audit.ppid",
67. "data.audit.prom",
68. "data.audit.res",
69. "data.audit.session",
70. "data.audit.sgid",
71. "data.audit.srcip",
72. "data.audit.subj",
73. "data.audit.success",
74. "data.audit.suid",
75. "data.audit.syscall",
76. "data.audit.tty",
77. "data.audit.uid",
78. "data.aws.accountId",
79. "data.aws.account_id",
80. "data.aws.action",
81. "data.aws.actor",
82. "data.aws.aws_account_id",
83. "data.aws.description",
84. "data.aws.dstport",
85. "data.aws.errorCode",
86. "data.aws.errorMessage",
87. "data.aws.eventID",
88. "data.aws.eventName",
89. "data.aws.eventSource",
90. "data.aws.eventType",
91. "data.aws.id",
92. "data.aws.name",
93. "data.aws.requestParameters.accessKeyId",
94. "data.aws.requestParameters.bucketName",
95. "data.aws.requestParameters.gatewayId",
96. "data.aws.requestParameters.groupDescription",
97. "data.aws.requestParameters.groupId",
98. "data.aws.requestParameters.groupName",
99. "data.aws.requestParameters.host",
100. "data.aws.requestParameters.hostedZoneId",
101. "data.aws.requestParameters.instanceId",
102. "data.aws.requestParameters.instanceProfileName",
103. "data.aws.requestParameters.loadBalancerName",
104. "data.aws.requestParameters.loadBalancerPorts",
105. "data.aws.requestParameters.masterUserPassword",
106. "data.aws.requestParameters.masterUsername",
107. "data.aws.requestParameters.name",
108. "data.aws.requestParameters.natGatewayId",
109. "data.aws.requestParameters.networkAclId",
110. "data.aws.requestParameters.path",
111. "data.aws.requestParameters.policyName",
112. "data.aws.requestParameters.port",
113. "data.aws.requestParameters.stackId",
114. "data.aws.requestParameters.stackName",
115. "data.aws.requestParameters.subnetId",
116. "data.aws.requestParameters.subnetIds",
117. "data.aws.requestParameters.volumeId",
118. "data.aws.requestParameters.vpcId",
119. "data.aws.resource.accessKeyDetails.accessKeyId",
120. "data.aws.resource.accessKeyDetails.principalId",
121. "data.aws.resource.accessKeyDetails.userName",
122. "data.aws.resource.instanceDetails.instanceId",
123. "data.aws.resource.instanceDetails.instanceState",
124. "data.aws.resource.instanceDetails.networkInterfaces.privateDnsName",
125. "data.aws.resource.instanceDetails.networkInterfaces.publicDnsName",
126. "data.aws.resource.instanceDetails.networkInterfaces.subnetId",
127. "data.aws.resource.instanceDetails.networkInterfaces.vpcId",
128. "data.aws.resource.instanceDetails.tags.value",
129. "data.aws.responseElements.AssociateVpcCidrBlockResponse.vpcId",
130. "data.aws.responseElements.description",
131. "data.aws.responseElements.instanceId",
132. "data.aws.responseElements.instances.instanceId",
133. "data.aws.responseElements.instancesSet.items.instanceId",
134. "data.aws.responseElements.listeners.port",
135. "data.aws.responseElements.loadBalancerName",
136. "data.aws.responseElements.loadBalancers.vpcId",
137. "data.aws.responseElements.loginProfile.userName",
138. "data.aws.responseElements.networkAcl.vpcId",
139. "data.aws.responseElements.ownerId",
140. "data.aws.responseElements.publicIp",
141. "data.aws.responseElements.user.userId",
142. "data.aws.responseElements.user.userName",
143. "data.aws.responseElements.volumeId",
144. "data.aws.service.serviceName",
145. "data.aws.severity",
146. "data.aws.source",
147. "data.aws.sourceIPAddress",
148. "data.aws.srcport",
149. "data.aws.userIdentity.accessKeyId",
150. "data.aws.userIdentity.accountId",
151. "data.aws.userIdentity.userName",
152. "data.aws.vpcEndpointId",
153. "data.command",
154. "data.cis.group",
155. "data.cis.rule_title",
156. "data.data",
157. "data.docker.Actor.Attributes.container",
158. "data.docker.Actor.Attributes.image",
159. "data.docker.Actor.Attributes.name",
160. "data.docker.Actor.ID",
161. "data.docker.id",
162. "data.docker.message",
163. "data.docker.status",
164. "data.dstip",
165. "data.dstport",
166. "data.dstuser",
167. "data.extra_data",
168. "data.gcp.jsonPayload.queryName",
169. "data.gcp.jsonPayload.vmInstanceName",
170. "data.gcp.resource.labels.location",
171. "data.gcp.resource.labels.project_id",
172. "data.gcp.resource.labels.source_type",
173. "data.gcp.resource.type",
174. "data.github.org",
175. "data.github.actor",
176. "data.github.action",
177. "data.github.repo",
178. "data.hardware.serial",
179. "data.id",
180. "data.integration",
181. "data.netinfo.iface.adapter",
182. "data.netinfo.iface.ipv4.address",
183. "data.netinfo.iface.ipv6.address",
184. "data.netinfo.iface.mac",
185. "data.netinfo.iface.name",
186. "data.office365.Actor.ID",
187. "data.office365.UserId",
188. "data.office365.Operation",
189. "data.office365.ClientIP",
190. "data.os.architecture",
191. "data.os.build",
192. "data.os.codename",
193. "data.os.hostname",
194. "data.os.major",
195. "data.os.minor",
196. "data.os.patch",
197. "data.os.name",
198. "data.os.platform",
199. "data.os.release",
200. "data.os.release_version",
201. "data.os.display_version",
202. "data.os.sysname",
203. "data.os.version",
204. "data.oscap.check.description",
205. "data.oscap.check.id",
206. "data.oscap.check.identifiers",
207. "data.oscap.check.oval.id",
208. "data.oscap.check.rationale",
209. "data.oscap.check.references",
210. "data.oscap.check.result",
211. "data.oscap.check.severity",
212. "data.oscap.check.title",
213. "data.oscap.scan.benchmark.id",
214. "data.oscap.scan.content",
215. "data.oscap.scan.id",
216. "data.oscap.scan.profile.id",
217. "data.oscap.scan.profile.title",
218. "data.osquery.columns.address",
219. "data.osquery.columns.command",
220. "data.osquery.columns.description",
221. "data.osquery.columns.dst_ip",
222. "data.osquery.columns.gid",
223. "data.osquery.columns.hostname",
224. "data.osquery.columns.md5",
225. "data.osquery.columns.path",
226. "data.osquery.columns.sha1",
227. "data.osquery.columns.sha256",
228. "data.osquery.columns.src_ip",
229. "data.osquery.columns.user",
230. "data.osquery.columns.username",
231. "data.osquery.name",
232. "data.osquery.pack",
233. "data.port.process",
234. "data.port.protocol",
235. "data.port.state",
236. "data.process.args",
237. "data.process.cmd",
238. "data.process.egroup",
239. "data.process.euser",
240. "data.process.fgroup",
241. "data.process.name",
242. "data.process.rgroup",
243. "data.process.ruser",
244. "data.process.sgroup",
245. "data.process.state",
246. "data.process.suser",
247. "data.program.architecture",
248. "data.program.description",
249. "data.program.format",
250. "data.program.location",
251. "data.program.multiarch",
252. "data.program.name",
253. "data.program.priority",
254. "data.program.section",
255. "data.program.source",
256. "data.program.vendor",
257. "data.program.version",
258. "data.protocol",
259. "data.pwd",
260. "data.sca",
261. "data.sca.check.compliance.cis",
262. "data.sca.check.compliance.cis_csc",
263. "data.sca.check.compliance.pci_dss",
264. "data.sca.check.compliance.hipaa",
265. "data.sca.check.compliance.nist_800_53",
266. "data.sca.check.description",
267. "data.sca.check.directory",
268. "data.sca.check.file",
269. "data.sca.check.id",
270. "data.sca.check.previous_result",
271. "data.sca.check.process",
272. "data.sca.check.rationale",
273. "data.sca.check.reason",
274. "data.sca.check.references",
275. "data.sca.check.registry",
276. "data.sca.check.remediation",
277. "data.sca.check.result",
278. "data.sca.check.title",
279. "data.sca.description",
280. "data.sca.file",
281. "data.sca.invalid",
282. "data.sca.name",
283. "data.sca.policy",
284. "data.sca.policy_id",
285. "data.sca.scan_id",
286. "data.sca.total_checks",
287. "data.script",
288. "data.src_ip",
289. "data.src_port",
290. "data.srcip",
291. "data.srcport",
292. "data.srcuser",
293. "data.status",
294. "data.system_name",
295. "data.title",
296. "data.tty",
297. "data.uid",
298. "data.url",
299. "data.virustotal.description",
300. "data.virustotal.error",
301. "data.virustotal.found",
302. "data.virustotal.permalink",
303. "data.virustotal.scan_date",
304. "data.virustotal.sha1",
305. "data.virustotal.source.alert_id",
306. "data.virustotal.source.file",
307. "data.virustotal.source.md5",
308. "data.virustotal.source.sha1",
309. "data.vulnerability.cve",
310. "data.vulnerability.cvss.cvss2.base_score",
311. "data.vulnerability.cvss.cvss2.exploitability_score",
312. "data.vulnerability.cvss.cvss2.impact_score",
313. "data.vulnerability.cvss.cvss2.vector.access_complexity",
314. "data.vulnerability.cvss.cvss2.vector.attack_vector",
315. "data.vulnerability.cvss.cvss2.vector.authentication",
316. "data.vulnerability.cvss.cvss2.vector.availability",
317. "data.vulnerability.cvss.cvss2.vector.confidentiality_impact",
318. "data.vulnerability.cvss.cvss2.vector.integrity_impact",
319. "data.vulnerability.cvss.cvss2.vector.privileges_required",
320. "data.vulnerability.cvss.cvss2.vector.scope",
321. "data.vulnerability.cvss.cvss2.vector.user_interaction",
322. "data.vulnerability.cvss.cvss3.base_score",
323. "data.vulnerability.cvss.cvss3.exploitability_score",
324. "data.vulnerability.cvss.cvss3.impact_score",
325. "data.vulnerability.cvss.cvss3.vector.access_complexity",
326. "data.vulnerability.cvss.cvss3.vector.attack_vector",
327. "data.vulnerability.cvss.cvss3.vector.authentication",
328. "data.vulnerability.cvss.cvss3.vector.availability",
329. "data.vulnerability.cvss.cvss3.vector.confidentiality_impact",
330. "data.vulnerability.cvss.cvss3.vector.integrity_impact",
331. "data.vulnerability.cvss.cvss3.vector.privileges_required",
332. "data.vulnerability.cvss.cvss3.vector.scope",
333. "data.vulnerability.cvss.cvss3.vector.user_interaction",
334. "data.vulnerability.cwe_reference",
335. "data.vulnerability.package.source",
336. "data.vulnerability.package.architecture",
337. "data.vulnerability.package.condition",
338. "data.vulnerability.package.generated_cpe",
339. "data.vulnerability.package.name",
340. "data.vulnerability.package.version",
341. "data.vulnerability.rationale",
342. "data.vulnerability.severity",
343. "data.vulnerability.title",
344. "data.vulnerability.assigner",
345. "data.vulnerability.cve_version",
346. "data.win.eventdata.auditPolicyChanges",
347. "data.win.eventdata.auditPolicyChangesId",
348. "data.win.eventdata.binary",
349. "data.win.eventdata.category",
350. "data.win.eventdata.categoryId",
351. "data.win.eventdata.data",
352. "data.win.eventdata.image",
353. "data.win.eventdata.ipAddress",
354. "data.win.eventdata.ipPort",
355. "data.win.eventdata.keyName",
356. "data.win.eventdata.logonGuid",
357. "data.win.eventdata.logonProcessName",
358. "data.win.eventdata.operation",
359. "data.win.eventdata.parentImage",
360. "data.win.eventdata.processId",
361. "data.win.eventdata.processName",
362. "data.win.eventdata.providerName",
363. "data.win.eventdata.returnCode",
364. "data.win.eventdata.service",
365. "data.win.eventdata.status",
366. "data.win.eventdata.subcategory",
367. "data.win.eventdata.subcategoryGuid",
368. "data.win.eventdata.subcategoryId",
369. "data.win.eventdata.subjectDomainName",
370. "data.win.eventdata.subjectLogonId",
371. "data.win.eventdata.subjectUserName",
372. "data.win.eventdata.subjectUserSid",
373. "data.win.eventdata.targetDomainName",
374. "data.win.eventdata.targetLinkedLogonId",
375. "data.win.eventdata.targetLogonId",
376. "data.win.eventdata.targetUserName",
377. "data.win.eventdata.targetUserSid",
378. "data.win.eventdata.workstationName",
379. "data.win.system.channel",
380. "data.win.system.computer",
381. "data.win.system.eventID",
382. "data.win.system.eventRecordID",
383. "data.win.system.eventSourceName",
384. "data.win.system.keywords",
385. "data.win.system.level",
386. "data.win.system.message",
387. "data.win.system.opcode",
388. "data.win.system.processID",
389. "data.win.system.providerGuid",
390. "data.win.system.providerName",
391. "data.win.system.securityUserID",
392. "data.win.system.severityValue",
393. "data.win.system.userID",
394. "decoder.ftscomment",
395. "decoder.name",
396. "decoder.parent",
397. "full_log",
398. "host",
399. "id",
400. "input",
401. "location",
402. "manager.name",
403. "message",
404. "offset",
405. "predecoder.hostname",
406. "predecoder.program_name",
407. "previous_log",
408. "previous_output",
409. "program_name",
410. "rule.cis",
411. "rule.cve",
412. "rule.description",
413. "rule.gdpr",
414. "rule.gpg13",
415. "rule.groups",
416. "rule.id",
417. "rule.info",
418. "rule.mitre.id",
419. "rule.mitre.tactic",
420. "rule.mitre.technique",
421. "rule.pci_dss",
422. "rule.hipaa",
423. "rule.nist_800_53",
424. "syscheck.audit.effective_user.id",
425. "syscheck.audit.effective_user.name",
426. "syscheck.audit.group.id",
427. "syscheck.audit.group.name",
428. "syscheck.audit.login_user.id",
429. "syscheck.audit.login_user.name",
430. "syscheck.audit.process.id",
431. "syscheck.audit.process.name",
432. "syscheck.audit.process.ppid",
433. "syscheck.audit.user.id",
434. "syscheck.audit.user.name",
435. "syscheck.diff",
436. "syscheck.event",
437. "syscheck.gid_after",
438. "syscheck.gid_before",
439. "syscheck.gname_after",
440. "syscheck.gname_before",
441. "syscheck.inode_after",
442. "syscheck.inode_before",
443. "syscheck.md5_after",
444. "syscheck.md5_before",
445. "syscheck.path",
446. "syscheck.mode",
447. "syscheck.perm_after",
448. "syscheck.perm_before",
449. "syscheck.sha1_after",
450. "syscheck.sha1_before",
451. "syscheck.sha256_after",
452. "syscheck.sha256_before",
453. "syscheck.tags",
454. "syscheck.uid_after",
455. "syscheck.uid_before",
456. "syscheck.uname_after",
457. "syscheck.uname_before",
458. "syscheck.arch",
459. "syscheck.value_name",
460. "syscheck.value_type",
461. "syscheck.changed_attributes",
462. "title"
463. ]
464. },
465. "mappings": {
466. "dynamic_templates": [
467. {
468. "string_as_keyword": {
469. "mapping": {
470. "type": "keyword"
471. },
472. "match_mapping_type": "string"
473. }
474. }
475. ],
476. "date_detection": false,
477. "properties": {
478. "@timestamp": {
479. "type": "date"
480. },
481. "timestamp": {
482. "type": "date",
483. "format": "date_optional_time||epoch_millis"
484. },
485. "@version": {
486. "type": "text"
487. },
488. "agent": {
489. "properties": {
490. "ip": {
491. "type": "keyword"
492. },
493. "id": {
494. "type": "keyword"
495. },
496. "name": {
497. "type": "keyword"
498. }
499. }
500. },
501. "manager": {
502. "properties": {
503. "name": {
504. "type": "keyword"
505. }
506. }
507. },
508. "cluster": {
509. "properties": {
510. "name": {
511. "type": "keyword"
512. },
513. "node": {
514. "type": "keyword"
515. }
516. }
517. },
518. "full_log": {
519. "type": "text"
520. },
521. "previous_log": {
522. "type": "text"
523. },
524. "GeoLocation": {
525. "properties": {
526. "area_code": {
527. "type": "long"
528. },
529. "city_name": {
530. "type": "keyword"
531. },
532. "continent_code": {
533. "type": "text"
534. },
535. "coordinates": {
536. "type": "double"
537. },
538. "country_code2": {
539. "type": "text"
540. },
541. "country_code3": {
542. "type": "text"
543. },
544. "country_name": {
545. "type": "keyword"
546. },
547. "dma_code": {
548. "type": "long"
549. },
550. "ip": {
551. "type": "keyword"
552. },
553. "latitude": {
554. "type": "double"
555. },
556. "location": {
557. "type": "geo_point"
558. },
559. "longitude": {
560. "type": "double"
561. },
562. "postal_code": {
563. "type": "keyword"
564. },
565. "real_region_name": {
566. "type": "keyword"
567. },
568. "region_name": {
569. "type": "keyword"
570. },
571. "timezone": {
572. "type": "text"
573. }
574. }
575. },
576. "host": {
577. "type": "keyword"
578. },
579. "syscheck": {
580. "properties": {
581. "path": {
582. "type": "keyword"
583. },
584. "hard_links": {
585. "type": "keyword"
586. },
587. "mode": {
588. "type": "keyword"
589. },
590. "sha1_before": {
591. "type": "keyword"
592. },
593. "sha1_after": {
594. "type": "keyword"
595. },
596. "uid_before": {
597. "type": "keyword"
598. },
599. "uid_after": {
600. "type": "keyword"
601. },
602. "gid_before": {
603. "type": "keyword"
604. },
605. "gid_after": {
606. "type": "keyword"
607. },
608. "perm_before": {
609. "type": "keyword"
610. },
611. "perm_after": {
612. "type": "keyword"
613. },
614. "md5_after": {
615. "type": "keyword"
616. },
617. "md5_before": {
618. "type": "keyword"
619. },
620. "gname_after": {
621. "type": "keyword"
622. },
623. "gname_before": {
624. "type": "keyword"
625. },
626. "inode_after": {
627. "type": "keyword"
628. },
629. "inode_before": {
630. "type": "keyword"
631. },
632. "mtime_after": {
633. "type": "date",
634. "format": "date_optional_time"
635. },
636. "mtime_before": {
637. "type": "date",
638. "format": "date_optional_time"
639. },
640. "uname_after": {
641. "type": "keyword"
642. },
643. "uname_before": {
644. "type": "keyword"
645. },
646. "size_before": {
647. "type": "long"
648. },
649. "size_after": {
650. "type": "long"
651. },
652. "diff": {
653. "type": "keyword"
654. },
655. "event": {
656. "type": "keyword"
657. },
658. "audit": {
659. "properties": {
660. "effective_user": {
661. "properties": {
662. "id": {
663. "type": "keyword"
664. },
665. "name": {
666. "type": "keyword"
667. }
668. }
669. },
670. "group": {
671. "properties": {
672. "id": {
673. "type": "keyword"
674. },
675. "name": {
676. "type": "keyword"
677. }
678. }
679. },
680. "login_user": {
681. "properties": {
682. "id": {
683. "type": "keyword"
684. },
685. "name": {
686. "type": "keyword"
687. }
688. }
689. },
690. "process": {
691. "properties": {
692. "id": {
693. "type": "keyword"
694. },
695. "name": {
696. "type": "keyword"
697. },
698. "ppid": {
699. "type": "keyword"
700. }
701. }
702. },
703. "user": {
704. "properties": {
705. "id": {
706. "type": "keyword"
707. },
708. "name": {
709. "type": "keyword"
710. }
711. }
712. }
713. }
714. },
715. "sha256_after": {
716. "type": "keyword"
717. },
718. "sha256_before": {
719. "type": "keyword"
720. },
721. "tags": {
722. "type": "keyword"
723. }
724. }
725. },
726. "location": {
727. "type": "keyword"
728. },
729. "message": {
730. "type": "text"
731. },
732. "offset": {
733. "type": "keyword"
734. },
735. "rule": {
736. "properties": {
737. "description": {
738. "type": "keyword"
739. },
740. "groups": {
741. "type": "keyword"
742. },
743. "level": {
744. "type": "long"
745. },
746. "tsc": {
747. "type": "keyword"
748. },
749. "id": {
750. "type": "keyword"
751. },
752. "cve": {
753. "type": "keyword"
754. },
755. "info": {
756. "type": "keyword"
757. },
758. "frequency": {
759. "type": "long"
760. },
761. "firedtimes": {
762. "type": "long"
763. },
764. "cis": {
765. "type": "keyword"
766. },
767. "pci_dss": {
768. "type": "keyword"
769. },
770. "gdpr": {
771. "type": "keyword"
772. },
773. "gpg13": {
774. "type": "keyword"
775. },
776. "hipaa": {
777. "type": "keyword"
778. },
779. "nist_800_53": {
780. "type": "keyword"
781. },
782. "mail": {
783. "type": "boolean"
784. },
785. "mitre": {
786. "properties": {
787. "id": {
788. "type": "keyword"
789. },
790. "tactic": {
791. "type": "keyword"
792. },
793. "technique": {
794. "type": "keyword"
795. }
796. }
797. }
798. }
799. },
800. "predecoder": {
801. "properties": {
802. "program_name": {
803. "type": "keyword"
804. },
805. "timestamp": {
806. "type": "keyword"
807. },
808. "hostname": {
809. "type": "keyword"
810. }
811. }
812. },
813. "decoder": {
814. "properties": {
815. "parent": {
816. "type": "keyword"
817. },
818. "name": {
819. "type": "keyword"
820. },
821. "ftscomment": {
822. "type": "keyword"
823. },
824. "fts": {
825. "type": "long"
826. },
827. "accumulate": {
828. "type": "long"
829. }
830. }
831. },
832. "data": {
833. "properties": {
834. "audit": {
835. "properties": {
836. "acct": {
837. "type": "keyword"
838. },
839. "arch": {
840. "type": "keyword"
841. },
842. "auid": {
843. "type": "keyword"
844. },
845. "command": {
846. "type": "keyword"
847. },
848. "cwd": {
849. "type": "keyword"
850. },
851. "dev": {
852. "type": "keyword"
853. },
854. "directory": {
855. "properties": {
856. "inode": {
857. "type": "keyword"
858. },
859. "mode": {
860. "type": "keyword"
861. },
862. "name": {
863. "type": "keyword"
864. }
865. }
866. },
867. "egid": {
868. "type": "keyword"
869. },
870. "enforcing": {
871. "type": "keyword"
872. },
873. "euid": {
874. "type": "keyword"
875. },
876. "exe": {
877. "type": "keyword"
878. },
879. "execve": {
880. "properties": {
881. "a0": {
882. "type": "keyword"
883. },
884. "a1": {
885. "type": "keyword"
886. },
887. "a2": {
888. "type": "keyword"
889. },
890. "a3": {
891. "type": "keyword"
892. }
893. }
894. },
895. "exit": {
896. "type": "keyword"
897. },
898. "file": {
899. "properties": {
900. "inode": {
901. "type": "keyword"
902. },
903. "mode": {
904. "type": "keyword"
905. },
906. "name": {
907. "type": "keyword"
908. }
909. }
910. },
911. "fsgid": {
912. "type": "keyword"
913. },
914. "fsuid": {
915. "type": "keyword"
916. },
917. "gid": {
918. "type": "keyword"
919. },
920. "id": {
921. "type": "keyword"
922. },
923. "key": {
924. "type": "keyword"
925. },
926. "list": {
927. "type": "keyword"
928. },
929. "old-auid": {
930. "type": "keyword"
931. },
932. "old-ses": {
933. "type": "keyword"
934. },
935. "old_enforcing": {
936. "type": "keyword"
937. },
938. "old_prom": {
939. "type": "keyword"
940. },
941. "op": {
942. "type": "keyword"
943. },
944. "pid": {
945. "type": "keyword"
946. },
947. "ppid": {
948. "type": "keyword"
949. },
950. "prom": {
951. "type": "keyword"
952. },
953. "res": {
954. "type": "keyword"
955. },
956. "session": {
957. "type": "keyword"
958. },
959. "sgid": {
960. "type": "keyword"
961. },
962. "srcip": {
963. "type": "keyword"
964. },
965. "subj": {
966. "type": "keyword"
967. },
968. "success": {
969. "type": "keyword"
970. },
971. "suid": {
972. "type": "keyword"
973. },
974. "syscall": {
975. "type": "keyword"
976. },
977. "tty": {
978. "type": "keyword"
979. },
980. "type": {
981. "type": "keyword"
982. },
983. "uid": {
984. "type": "keyword"
985. }
986. }
987. },
988. "protocol": {
989. "type": "keyword"
990. },
991. "action": {
992. "type": "keyword"
993. },
994. "srcip": {
995. "type": "keyword"
996. },
997. "dstip": {
998. "type": "keyword"
999. },
1000. "srcport": {
1001. "type": "keyword"
1002. },
1003. "dstport": {
1004. "type": "keyword"
1005. },
1006. "srcuser": {
1007. "type": "keyword"
1008. },
1009. "dstuser": {
1010. "type": "keyword"
1011. },
1012. "id": {
1013. "type": "keyword"
1014. },
1015. "status": {
1016. "type": "keyword"
1017. },
1018. "data": {
1019. "type": "keyword"
1020. },
1021. "extra_data": {
1022. "type": "keyword"
1023. },
1024. "system_name": {
1025. "type": "keyword"
1026. },
1027. "url": {
1028. "type": "keyword"
1029. },
1030. "oscap": {
1031. "properties": {
1032. "check": {
1033. "properties": {
1034. "description": {
1035. "type": "text"
1036. },
1037. "id": {
1038. "type": "keyword"
1039. },
1040. "identifiers": {
1041. "type": "text"
1042. },
1043. "oval": {
1044. "properties": {
1045. "id": {
1046. "type": "keyword"
1047. }
1048. }
1049. },
1050. "rationale": {
1051. "type": "text"
1052. },
1053. "references": {
1054. "type": "text"
1055. },
1056. "result": {
1057. "type": "keyword"
1058. },
1059. "severity": {
1060. "type": "keyword"
1061. },
1062. "title": {
1063. "type": "keyword"
1064. }
1065. }
1066. },
1067. "scan": {
1068. "properties": {
1069. "benchmark": {
1070. "properties": {
1071. "id": {
1072. "type": "keyword"
1073. }
1074. }
1075. },
1076. "content": {
1077. "type": "keyword"
1078. },
1079. "id": {
1080. "type": "keyword"
1081. },
1082. "profile": {
1083. "properties": {
1084. "id": {
1085. "type": "keyword"
1086. },
1087. "title": {
1088. "type": "keyword"
1089. }
1090. }
1091. },
1092. "return_code": {
1093. "type": "long"
1094. },
1095. "score": {
1096. "type": "double"
1097. }
1098. }
1099. }
1100. }
1101. },
1102. "office365": {
1103. "properties": {
1104. "Actor": {
1105. "properties": {
1106. "ID": {
1107. "type": "keyword"
1108. }
1109. }
1110. },
1111. "UserId": {
1112. "type": "keyword"
1113. },
1114. "Operation": {
1115. "type": "keyword"
1116. },
1117. "ClientIP": {
1118. "type": "keyword"
1119. },
1120. "ResultStatus": {
1121. "type": "keyword"
1122. },
1123. "Subscription": {
1124. "type": "keyword"
1125. }
1126. }
1127. },
1128. "github": {
1129. "properties": {
1130. "org": {
1131. "type": "keyword"
1132. },
1133. "actor": {
1134. "type": "keyword"
1135. },
1136. "action": {
1137. "type": "keyword"
1138. },
1139. "actor_location": {
1140. "properties": {
1141. "country_code": {
1142. "type": "keyword"
1143. }
1144. }
1145. },
1146. "repo": {
1147. "type": "keyword"
1148. }
1149. }
1150. },
1151. "type": {
1152. "type": "keyword"
1153. },
1154. "netinfo": {
1155. "properties": {
1156. "iface": {
1157. "properties": {
1158. "name": {
1159. "type": "keyword"
1160. },
1161. "mac": {
1162. "type": "keyword"
1163. },
1164. "adapter": {
1165. "type": "keyword"
1166. },
1167. "type": {
1168. "type": "keyword"
1169. },
1170. "state": {
1171. "type": "keyword"
1172. },
1173. "mtu": {
1174. "type": "long"
1175. },
1176. "tx_bytes": {
1177. "type": "long"
1178. },
1179. "rx_bytes": {
1180. "type": "long"
1181. },
1182. "tx_errors": {
1183. "type": "long"
1184. },
1185. "rx_errors": {
1186. "type": "long"
1187. },
1188. "tx_dropped": {
1189. "type": "long"
1190. },
1191. "rx_dropped": {
1192. "type": "long"
1193. },
1194. "tx_packets": {
1195. "type": "long"
1196. },
1197. "rx_packets": {
1198. "type": "long"
1199. },
1200. "ipv4": {
1201. "properties": {
1202. "gateway": {
1203. "type": "keyword"
1204. },
1205. "dhcp": {
1206. "type": "keyword"
1207. },
1208. "address": {
1209. "type": "keyword"
1210. },
1211. "netmask": {
1212. "type": "keyword"
1213. },
1214. "broadcast": {
1215. "type": "keyword"
1216. },
1217. "metric": {
1218. "type": "long"
1219. }
1220. }
1221. },
1222. "ipv6": {
1223. "properties": {
1224. "gateway": {
1225. "type": "keyword"
1226. },
1227. "dhcp": {
1228. "type": "keyword"
1229. },
1230. "address": {
1231. "type": "keyword"
1232. },
1233. "netmask": {
1234. "type": "keyword"
1235. },
1236. "broadcast": {
1237. "type": "keyword"
1238. },
1239. "metric": {
1240. "type": "long"
1241. }
1242. }
1243. }
1244. }
1245. }
1246. }
1247. },
1248. "os": {
1249. "properties": {
1250. "hostname": {
1251. "type": "keyword"
1252. },
1253. "architecture": {
1254. "type": "keyword"
1255. },
1256. "name": {
1257. "type": "keyword"
1258. },
1259. "version": {
1260. "type": "keyword"
1261. },
1262. "codename": {
1263. "type": "keyword"
1264. },
1265. "major": {
1266. "type": "keyword"
1267. },
1268. "minor": {
1269. "type": "keyword"
1270. },
1271. "patch": {
1272. "type": "keyword"
1273. },
1274. "build": {
1275. "type": "keyword"
1276. },
1277. "platform": {
1278. "type": "keyword"
1279. },
1280. "sysname": {
1281. "type": "keyword"
1282. },
1283. "release": {
1284. "type": "keyword"
1285. },
1286. "release_version": {
1287. "type": "keyword"
1288. },
1289. "display_version": {
1290. "type": "keyword"
1291. }
1292. }
1293. },
1294. "port": {
1295. "properties": {
1296. "protocol": {
1297. "type": "keyword"
1298. },
1299. "local_ip": {
1300. "type": "ip"
1301. },
1302. "local_port": {
1303. "type": "long"
1304. },
1305. "remote_ip": {
1306. "type": "ip"
1307. },
1308. "remote_port": {
1309. "type": "long"
1310. },
1311. "tx_queue": {
1312. "type": "long"
1313. },
1314. "rx_queue": {
1315. "type": "long"
1316. },
1317. "inode": {
1318. "type": "long"
1319. },
1320. "state": {
1321. "type": "keyword"
1322. },
1323. "pid": {
1324. "type": "long"
1325. },
1326. "process": {
1327. "type": "keyword"
1328. }
1329. }
1330. },
1331. "hardware": {
1332. "properties": {
1333. "serial": {
1334. "type": "keyword"
1335. },
1336. "cpu_name": {
1337. "type": "keyword"
1338. },
1339. "cpu_cores": {
1340. "type": "long"
1341. },
1342. "cpu_mhz": {
1343. "type": "double"
1344. },
1345. "ram_total": {
1346. "type": "long"
1347. },
1348. "ram_free": {
1349. "type": "long"
1350. },
1351. "ram_usage": {
1352. "type": "long"
1353. }
1354. }
1355. },
1356. "program": {
1357. "properties": {
1358. "format": {
1359. "type": "keyword"
1360. },
1361. "name": {
1362. "type": "keyword"
1363. },
1364. "priority": {
1365. "type": "keyword"
1366. },
1367. "section": {
1368. "type": "keyword"
1369. },
1370. "size": {
1371. "type": "long"
1372. },
1373. "vendor": {
1374. "type": "keyword"
1375. },
1376. "install_time": {
1377. "type": "keyword"
1378. },
1379. "version": {
1380. "type": "keyword"
1381. },
1382. "architecture": {
1383. "type": "keyword"
1384. },
1385. "multiarch": {
1386. "type": "keyword"
1387. },
1388. "source": {
1389. "type": "keyword"
1390. },
1391. "description": {
1392. "type": "keyword"
1393. },
1394. "location": {
1395. "type": "keyword"
1396. }
1397. }
1398. },
1399. "process": {
1400. "properties": {
1401. "pid": {
1402. "type": "long"
1403. },
1404. "name": {
1405. "type": "keyword"
1406. },
1407. "state": {
1408. "type": "keyword"
1409. },
1410. "ppid": {
1411. "type": "long"
1412. },
1413. "utime": {
1414. "type": "long"
1415. },
1416. "stime": {
1417. "type": "long"
1418. },
1419. "cmd": {
1420. "type": "keyword"
1421. },
1422. "args": {
1423. "type": "keyword"
1424. },
1425. "euser": {
1426. "type": "keyword"
1427. },
1428. "ruser": {
1429. "type": "keyword"
1430. },
1431. "suser": {
1432. "type": "keyword"
1433. },
1434. "egroup": {
1435. "type": "keyword"
1436. },
1437. "sgroup": {
1438. "type": "keyword"
1439. },
1440. "fgroup": {
1441. "type": "keyword"
1442. },
1443. "rgroup": {
1444. "type": "keyword"
1445. },
1446. "priority": {
1447. "type": "long"
1448. },
1449. "nice": {
1450. "type": "long"
1451. },
1452. "size": {
1453. "type": "long"
1454. },
1455. "vm_size": {
1456. "type": "long"
1457. },
1458. "resident": {
1459. "type": "long"
1460. },
1461. "share": {
1462. "type": "long"
1463. },
1464. "start_time": {
1465. "type": "long"
1466. },
1467. "pgrp": {
1468. "type": "long"
1469. },
1470. "session": {
1471. "type": "long"
1472. },
1473. "nlwp": {
1474. "type": "long"
1475. },
1476. "tgid": {
1477. "type": "long"
1478. },
1479. "tty": {
1480. "type": "long"
1481. },
1482. "processor": {
1483. "type": "long"
1484. }
1485. }
1486. },
1487. "sca": {
1488. "properties": {
1489. "type": {
1490. "type": "keyword"
1491. },
1492. "scan_id": {
1493. "type": "keyword"
1494. },
1495. "policy": {
1496. "type": "keyword"
1497. },
1498. "name": {
1499. "type": "keyword"
1500. },
1501. "file": {
1502. "type": "keyword"
1503. },
1504. "description": {
1505. "type": "keyword"
1506. },
1507. "passed": {
1508. "type": "integer"
1509. },
1510. "failed": {
1511. "type": "integer"
1512. },
1513. "score": {
1514. "type": "long"
1515. },
1516. "check": {
1517. "properties": {
1518. "id": {
1519. "type": "keyword"
1520. },
1521. "title": {
1522. "type": "keyword"
1523. },
1524. "description": {
1525. "type": "keyword"
1526. },
1527. "rationale": {
1528. "type": "keyword"
1529. },
1530. "remediation": {
1531. "type": "keyword"
1532. },
1533. "compliance": {
1534. "properties": {
1535. "cis": {
1536. "type": "keyword"
1537. },
1538. "cis_csc": {
1539. "type": "keyword"
1540. },
1541. "pci_dss": {
1542. "type": "keyword"
1543. },
1544. "hipaa": {
1545. "type": "keyword"
1546. },
1547. "nist_800_53": {
1548. "type": "keyword"
1549. }
1550. }
1551. },
1552. "references": {
1553. "type": "keyword"
1554. },
1555. "file": {
1556. "type": "keyword"
1557. },
1558. "directory": {
1559. "type": "keyword"
1560. },
1561. "registry": {
1562. "type": "keyword"
1563. },
1564. "process": {
1565. "type": "keyword"
1566. },
1567. "result": {
1568. "type": "keyword"
1569. },
1570. "previous_result": {
1571. "type": "keyword"
1572. },
1573. "reason": {
1574. "type": "keyword"
1575. }
1576. }
1577. },
1578. "invalid": {
1579. "type": "keyword"
1580. },
1581. "policy_id": {
1582. "type": "keyword"
1583. },
1584. "total_checks": {
1585. "type": "keyword"
1586. }
1587. }
1588. },
1589. "command": {
1590. "type": "keyword"
1591. },
1592. "integration": {
1593. "type": "keyword"
1594. },
1595. "timestamp": {
1596. "type": "date"
1597. },
1598. "title": {
1599. "type": "keyword"
1600. },
1601. "uid": {
1602. "type": "keyword"
1603. },
1604. "virustotal": {
1605. "properties": {
1606. "description": {
1607. "type": "keyword"
1608. },
1609. "error": {
1610. "type": "keyword"
1611. },
1612. "found": {
1613. "type": "keyword"
1614. },
1615. "malicious": {
1616. "type": "keyword"
1617. },
1618. "permalink": {
1619. "type": "keyword"
1620. },
1621. "positives": {
1622. "type": "keyword"
1623. },
1624. "scan_date": {
1625. "type": "keyword"
1626. },
1627. "sha1": {
1628. "type": "keyword"
1629. },
1630. "source": {
1631. "properties": {
1632. "alert_id": {
1633. "type": "keyword"
1634. },
1635. "file": {
1636. "type": "keyword"
1637. },
1638. "md5": {
1639. "type": "keyword"
1640. },
1641. "sha1": {
1642. "type": "keyword"
1643. }
1644. }
1645. },
1646. "total": {
1647. "type": "keyword"
1648. }
1649. }
1650. },
1651. "vulnerability": {
1652. "properties": {
1653. "cve": {
1654. "type": "keyword"
1655. },
1656. "cvss": {
1657. "properties": {
1658. "cvss2": {
1659. "properties": {
1660. "base_score": {
1661. "type": "keyword"
1662. },
1663. "exploitability_score": {
1664. "type": "keyword"
1665. },
1666. "impact_score": {
1667. "type": "keyword"
1668. },
1669. "vector": {
1670. "properties": {
1671. "access_complexity": {
1672. "type": "keyword"
1673. },
1674. "attack_vector": {
1675. "type": "keyword"
1676. },
1677. "authentication": {
1678. "type": "keyword"
1679. },
1680. "availability": {
1681. "type": "keyword"
1682. },
1683. "confidentiality_impact": {
1684. "type": "keyword"
1685. },
1686. "integrity_impact": {
1687. "type": "keyword"
1688. },
1689. "privileges_required": {
1690. "type": "keyword"
1691. },
1692. "scope": {
1693. "type": "keyword"
1694. },
1695. "user_interaction": {
1696. "type": "keyword"
1697. }
1698. }
1699. }
1700. }
1701. },
1702. "cvss3": {
1703. "properties": {
1704. "base_score": {
1705. "type": "keyword"
1706. },
1707. "exploitability_score": {
1708. "type": "keyword"
1709. },
1710. "impact_score": {
1711. "type": "keyword"
1712. },
1713. "vector": {
1714. "properties": {
1715. "access_complexity": {
1716. "type": "keyword"
1717. },
1718. "attack_vector": {
1719. "type": "keyword"
1720. },
1721. "authentication": {
1722. "type": "keyword"
1723. },
1724. "availability": {
1725. "type": "keyword"
1726. },
1727. "confidentiality_impact": {
1728. "type": "keyword"
1729. },
1730. "integrity_impact": {
1731. "type": "keyword"
1732. },
1733. "privileges_required": {
1734. "type": "keyword"
1735. },
1736. "scope": {
1737. "type": "keyword"
1738. },
1739. "user_interaction": {
1740. "type": "keyword"
1741. }
1742. }
1743. }
1744. }
1745. }
1746. }
1747. },
1748. "cwe_reference": {
1749. "type": "keyword"
1750. },
1751. "package": {
1752. "properties": {
1753. "source": {
1754. "type": "keyword"
1755. },
1756. "architecture": {
1757. "type": "keyword"
1758. },
1759. "condition": {
1760. "type": "keyword"
1761. },
1762. "generated_cpe": {
1763. "type": "keyword"
1764. },
1765. "name": {
1766. "type": "keyword"
1767. },
1768. "version": {
1769. "type": "keyword"
1770. }
1771. }
1772. },
1773. "published": {
1774. "type": "date"
1775. },
1776. "updated": {
1777. "type": "date"
1778. },
1779. "rationale": {
1780. "type": "keyword"
1781. },
1782. "severity": {
1783. "type": "keyword"
1784. },
1785. "title": {
1786. "type": "keyword"
1787. },
1788. "assigner": {
1789. "type": "keyword"
1790. },
1791. "cve_version": {
1792. "type": "keyword"
1793. }
1794. }
1795. },
1796. "aws": {
1797. "properties": {
1798. "source": {
1799. "type": "keyword"
1800. },
1801. "accountId": {
1802. "type": "keyword"
1803. },
1804. "log_info": {
1805. "properties": {
1806. "s3bucket": {
1807. "type": "keyword"
1808. }
1809. }
1810. },
1811. "region": {
1812. "type": "keyword"
1813. },
1814. "bytes": {
1815. "type": "long"
1816. },
1817. "dstaddr": {
1818. "type": "ip"
1819. },
1820. "srcaddr": {
1821. "type": "ip"
1822. },
1823. "end": {
1824. "type": "date"
1825. },
1826. "start": {
1827. "type": "date"
1828. },
1829. "source_ip_address": {
1830. "type": "ip"
1831. },
1832. "service": {
1833. "properties": {
1834. "count": {
1835. "type": "long"
1836. },
1837. "action.networkConnectionAction.remoteIpDetails": {
1838. "properties": {
1839. "ipAddressV4": {
1840. "type": "ip"
1841. },
1842. "geoLocation": {
1843. "type": "geo_point"
1844. }
1845. }
1846. },
1847. "eventFirstSeen": {
1848. "type": "date"
1849. },
1850. "eventLastSeen": {
1851. "type": "date"
1852. }
1853. }
1854. },
1855. "createdAt": {
1856. "type": "date"
1857. },
1858. "updatedAt": {
1859. "type": "date"
1860. },
1861. "resource.instanceDetails": {
1862. "properties": {
1863. "launchTime": {
1864. "type": "date"
1865. },
1866. "networkInterfaces": {
1867. "properties": {
1868. "privateIpAddress": {
1869. "type": "ip"
1870. },
1871. "publicIp": {
1872. "type": "ip"
1873. }
1874. }
1875. }
1876. }
1877. }
1878. }
1879. },
1880. "cis": {
1881. "properties": {
1882. "benchmark": {
1883. "type": "keyword"
1884. },
1885. "error": {
1886. "type": "long"
1887. },
1888. "fail": {
1889. "type": "long"
1890. },
1891. "group": {
1892. "type": "keyword"
1893. },
1894. "notchecked": {
1895. "type": "long"
1896. },
1897. "pass": {
1898. "type": "long"
1899. },
1900. "result": {
1901. "type": "keyword"
1902. },
1903. "rule_title": {
1904. "type": "keyword"
1905. },
1906. "score": {
1907. "type": "long"
1908. },
1909. "timestamp": {
1910. "type": "keyword"
1911. },
1912. "unknown": {
1913. "type": "long"
1914. }
1915. }
1916. },
1917. "docker": {
1918. "properties": {
1919. "Action": {
1920. "type": "keyword"
1921. },
1922. "Actor": {
1923. "properties": {
1924. "Attributes": {
1925. "properties": {
1926. "image": {
1927. "type": "keyword"
1928. },
1929. "name": {
1930. "type": "keyword"
1931. }
1932. }
1933. }
1934. }
1935. },
1936. "Type": {
1937. "type": "keyword"
1938. }
1939. }
1940. },
1941. "gcp": {
1942. "properties": {
1943. "jsonPayload": {
1944. "properties": {
1945. "authAnswer": {
1946. "type": "keyword"
1947. },
1948. "queryName": {
1949. "type": "keyword"
1950. },
1951. "responseCode": {
1952. "type": "keyword"
1953. },
1954. "vmInstanceId": {
1955. "type": "keyword"
1956. },
1957. "vmInstanceName": {
1958. "type": "keyword"
1959. }
1960. }
1961. },
1962. "resource": {
1963. "properties": {
1964. "labels": {
1965. "properties": {
1966. "location": {
1967. "type": "keyword"
1968. },
1969. "project_id": {
1970. "type": "keyword"
1971. },
1972. "source_type": {
1973. "type": "keyword"
1974. }
1975. }
1976. },
1977. "type": {
1978. "type": "keyword"
1979. }
1980. }
1981. },
1982. "severity": {
1983. "type": "keyword"
1984. }
1985. }
1986. },
1987. "osquery": {
1988. "properties": {
1989. "name": {
1990. "type": "keyword"
1991. },
1992. "pack": {
1993. "type": "keyword"
1994. },
1995. "action": {
1996. "type": "keyword"
1997. },
1998. "calendarTime": {
1999. "type": "keyword"
2000. }
2001. }
2002. }
2003. }
2004. },
2005. "program_name": {
2006. "type": "keyword"
2007. },
2008. "command": {
2009. "type": "keyword"
2010. },
2011. "type": {
2012. "type": "text"
2013. },
2014. "title": {
2015. "type": "keyword"
2016. },
2017. "id": {
2018. "type": "keyword"
2019. },
2020. "input": {
2021. "properties": {
2022. "type": {
2023. "type": "keyword"
2024. }
2025. }
2026. },
2027. "previous_output": {
2028. "type": "keyword"
2029. }
2030. }
2031. },
2032. "version": 1
2033. }
2034.