logstash-output-elasticsearch 10.5.1-java → 10.6.0-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (21) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +3 -0
  3. data/docs/index.asciidoc +46 -4
  4. data/lib/logstash/outputs/elasticsearch.rb +33 -0
  5. data/lib/logstash/outputs/elasticsearch/common.rb +7 -7
  6. data/lib/logstash/outputs/elasticsearch/common_configs.rb +3 -3
  7. data/lib/logstash/outputs/elasticsearch/ilm.rb +1 -1
  8. data/lib/logstash/outputs/elasticsearch/template_manager.rb +12 -9
  9. data/lib/logstash/outputs/elasticsearch/{elasticsearch-template-es2x.json → templates/ecs-disabled/elasticsearch-2x.json} +0 -0
  10. data/lib/logstash/outputs/elasticsearch/{elasticsearch-template-es5x.json → templates/ecs-disabled/elasticsearch-5x.json} +0 -0
  11. data/lib/logstash/outputs/elasticsearch/{elasticsearch-template-es6x.json → templates/ecs-disabled/elasticsearch-6x.json} +0 -0
  12. data/lib/logstash/outputs/elasticsearch/{elasticsearch-template-es7x.json → templates/ecs-disabled/elasticsearch-7x.json} +0 -0
  13. data/lib/logstash/outputs/elasticsearch/{elasticsearch-template-es8x.json → templates/ecs-disabled/elasticsearch-8x.json} +0 -0
  14. data/lib/logstash/outputs/elasticsearch/templates/ecs-v1/elasticsearch-6x.json +2950 -0
  15. data/lib/logstash/outputs/elasticsearch/templates/ecs-v1/elasticsearch-7x.json +2948 -0
  16. data/logstash-output-elasticsearch.gemspec +2 -1
  17. data/spec/integration/outputs/ilm_spec.rb +2 -2
  18. data/spec/unit/outputs/elasticsearch/template_manager_spec.rb +9 -3
  19. data/spec/unit/outputs/elasticsearch_spec.rb +1 -1
  20. data/spec/unit/outputs/error_whitelist_spec.rb +1 -1
  21. metadata +23 -7
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: cefa6633e4a89765721857efffd49144e84f4fd76a2b6625664478076f4623bd
4
- data.tar.gz: d774499e956fdf0a2920a27e38830f47f7b479f313666874d447319db8736de6
3
+ metadata.gz: 69cd4a7aaa5a5b66bc94d633f1e482f472a557a464f0077e1382fe3b8d8bf6a4
4
+ data.tar.gz: 3b08e4236f1ba8d580a4f35b528400a3c3a3e0b33123ca9e5d0b983cdb6a256d
5
5
  SHA512:
6
- metadata.gz: 142fdc58605911159a51bdd825bdb22e78f182a61084babc31f6827bf5965aea00dbfb6c9b5c58d55f26e6a9b09ca32b2b48e5a39b887afd400e3793f0d6044c
7
- data.tar.gz: 3d98fa8506b2bba7a631f536e025aa5f6f3c50da862ee53509136df3430ce685f0d5adfefcd8bc14a97fdde874bd8e3e220842beaa8772663324e9a7571c145c
6
+ metadata.gz: 5acda5b8b7a8654f0a8ffd9c99483f25eb7076184d018a76615e7d88861a45c898a6f1d20a80396791f8e6ec53746d716705ebde4db7d60b258b17941bb073b9
7
+ data.tar.gz: 9927d71a573cf5aee344d8d8e0f8c7808b4e98769a1a35ae83ac25186439326f9ffa9910c676aec567607da3b9cb8bb26570fb5dd662c1ca62f648288230acb5
data/CHANGELOG.md CHANGED
@@ -1,3 +1,6 @@
1
+ ## 10.6.0
2
+ - Added `ecs_compatiblity` mode, for managing ECS-compatable templates [#952](https://github.com/logstash-plugins/logstash-output-elasticsearch/issue/952)
3
+
1
4
  ## 10.5.1
2
5
  - [DOC] Removed outdated compatibility notices, reworked cloud notice, and fixed formatting for `hosts` examples [#938](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/938)
3
6
 
data/docs/index.asciidoc CHANGED
@@ -58,6 +58,20 @@ https://www.elastic.co/cloud/elasticsearch-service[hosted {es} Service] on
58
58
  Elastic Cloud. The Elasticsearch Service is available on AWS, Google Cloud
59
59
  Platform, and Microsoft Azure. {ess-trial}[Try the {es} Service for free].
60
60
 
61
+ ==== Compatibility with the Elastic Common Schema (ECS)
62
+
63
+ This plugin will persist events to Elasticsearch in the shape produced by
64
+ your pipeline, and _cannot_ be used to re-shape the event structure into a
65
+ shape that complies with ECS. To produce events that fully comply with ECS,
66
+ you will need to populate ECS-defined fields throughout your pipeline
67
+ definition.
68
+
69
+ However, the Elasticsearch Index Templates it manages can be configured to
70
+ be ECS-compatible by setting <<plugins-{type}s-{plugin}-ecs_compatibility>>.
71
+ By having an ECS-compatible template in place, we can ensure that Elasticsearch
72
+ is prepared to create and index fields in a way that is compatible with ECS,
73
+ and will correctly reject events with fields that conflict and cannot be coerced.
74
+
61
75
  ==== Writing to different indices: best practices
62
76
 
63
77
  [NOTE]
@@ -234,6 +248,7 @@ This plugin supports the following configuration options plus the <
234
248
  | <<plugins-{type}s-{plugin}-doc_as_upsert>> |<<boolean,boolean>>|No
235
249
  | <<plugins-{type}s-{plugin}-document_id>> |<<string,string>>|No
236
250
  | <<plugins-{type}s-{plugin}-document_type>> |<<string,string>>|No
251
+ | <<plugins-{type}s-{plugin}-ecs_compatibility>> | <<string,string>>|No
237
252
  | <<plugins-{type}s-{plugin}-failure_type_logging_whitelist>> |<<array,array>>|No
238
253
  | <<plugins-{type}s-{plugin}-healthcheck_path>> |<<string,string>>|No
239
254
  | <<plugins-{type}s-{plugin}-hosts>> |<<uri,uri>>|No
@@ -393,6 +408,25 @@ If you don't set a value for this option:
393
408
  - for elasticsearch clusters 6.x: the value of 'doc' will be used;
394
409
  - for elasticsearch clusters 5.x and below: the event's 'type' field will be used, if the field is not present the value of 'doc' will be used.
395
410
 
411
+ [id="plugins-{type}s-{plugin}-ecs_compatibility"]
412
+ ===== `ecs_compatibility`
413
+
414
+ * Value type is <<string,string>>
415
+ * Supported values are:
416
+ ** `disabled`: does not provide ECS-compatible templates
417
+ ** `v1`: provides defaults that are compatible with v1 of the Elastic Common Schema
418
+ * Default value depends on which version of Logstash is running:
419
+ ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
420
+ ** Otherwise, the default value is `disabled`.
421
+
422
+ Controls this plugin's compatibility with the {ecs-ref}}[Elastic Common Schema (ECS)],
423
+ including the installation of ECS-compatible index templates.
424
+ The value of this setting affects the _default_ values of:
425
+
426
+ * <<plugins-{type}s-{plugin}-index>>
427
+ * <<plugins-{type}s-{plugin}-template_name>>
428
+ * <<plugins-{type}s-{plugin}-ilm_rollover_alias>>
429
+
396
430
  [id="plugins-{type}s-{plugin}-failure_type_logging_whitelist"]
397
431
  ===== `failure_type_logging_whitelist`
398
432
 
@@ -500,7 +534,9 @@ NOTE: If this setting is specified, the policy must already exist in Elasticsear
500
534
  ===== `ilm_rollover_alias`
501
535
 
502
536
  * Value type is <<string,string>>
503
- * Default value is `logstash`
537
+ * Default value depends on whether <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled:
538
+ ** ECS Compatibility disabled: `logstash`
539
+ ** ECS Compatibility enabled: `ecs-logstash`
504
540
 
505
541
  The rollover alias is the alias where indices managed using Index Lifecycle Management will be written to.
506
542
 
@@ -514,7 +550,9 @@ NOTE: `ilm_rollover_alias` does NOT support dynamic variable substitution as `in
514
550
  ===== `index`
515
551
 
516
552
  * Value type is <<string,string>>
517
- * Default value is `"logstash-%{+yyyy.MM.dd}"`
553
+ * Default value depends on whether <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled:
554
+ ** ECS Compatibility disabled: `"logstash-%{+yyyy.MM.dd}"`
555
+ ** ECS Compatibility enabled: `"ecs-logstash-%{+yyyy.MM.dd}"`
518
556
 
519
557
  The index to write events to. This can be dynamic using the `%{foo}` syntax.
520
558
  The default value will partition your indices by day so you can more easily
@@ -548,7 +586,8 @@ Set the keystore password
548
586
  * Default value is `true`
549
587
 
550
588
  From Logstash 1.3 onwards, a template is applied to Elasticsearch during
551
- Logstash's startup if one with the name `template_name` does not already exist.
589
+ Logstash's startup if one with the name <<plugins-{type}s-{plugin}-template_name>>
590
+ does not already exist.
552
591
  By default, the contents of this template is the default template for
553
592
  `logstash-%{+YYYY.MM.dd}` which always matches indices based on the pattern
554
593
  `logstash-*`. Should you require support for other index names, or would like
@@ -799,7 +838,10 @@ If not set, the included template will be used.
799
838
  ===== `template_name`
800
839
 
801
840
  * Value type is <<string,string>>
802
- * Default value is `"logstash"`
841
+ * Default value depends on whether <<plugins-{type}s-{plugin}-ecs_compatibility>> is enabled:
842
+ ** ECS Compatibility disabled: `logstash`
843
+ ** ECS Compatibility enabled: `ecs-logstash`
844
+
803
845
 
804
846
  This configuration option defines how the template is named inside Elasticsearch.
805
847
  Note that if you have used the template management features and subsequently
data/lib/logstash/outputs/elasticsearch.rb CHANGED
@@ -92,6 +92,8 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
92
92
  require "logstash/outputs/elasticsearch/common"
93
93
  require "logstash/outputs/elasticsearch/ilm"
94
94
 
95
+ require 'logstash/plugin_mixins/ecs_compatibility_support'
96
+
95
97
  # Protocol agnostic (i.e. non-http, non-java specific) configs go here
96
98
  include(LogStash::Outputs::ElasticSearch::CommonConfigs)
97
99
 
@@ -101,6 +103,9 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
101
103
  # Methods for ILM support
102
104
  include(LogStash::Outputs::ElasticSearch::Ilm)
103
105
 
106
+ # ecs_compatibility option, provided by Logstash core or the support adapter.
107
+ include(LogStash::PluginMixins::ECSCompatibilitySupport)
108
+
104
109
  config_name "elasticsearch"
105
110
 
106
111
  # The Elasticsearch action to perform. Valid actions are:
@@ -242,6 +247,34 @@ class LogStash::Outputs::ElasticSearch < LogStash::Outputs::Base
242
247
  # Custom Headers to send on each request to elasticsearch nodes
243
248
  config :custom_headers, :validate => :hash, :default => {}
244
249
 
250
+ def initialize(*params)
251
+ super
252
+ setup_ecs_compatibility_related_defaults
253
+ end
254
+
255
+ def setup_ecs_compatibility_related_defaults
256
+ case ecs_compatibility
257
+ when :disabled
258
+ @default_index = "logstash-%{+yyyy.MM.dd}"
259
+ @default_ilm_rollover_alias = "logstash"
260
+ @default_template_name = 'logstash'
261
+ when :v1
262
+ @default_index = "ecs-logstash-%{+yyyy.MM.dd}"
263
+ @default_ilm_rollover_alias = "ecs-logstash"
264
+ @default_template_name = 'ecs-logstash'
265
+ else
266
+ fail("unsupported ECS Compatibility `#{ecs_compatibility}`")
267
+ end
268
+
269
+ @index ||= default_index
270
+ @ilm_rollover_alias ||= default_ilm_rollover_alias
271
+ @template_name ||= default_template_name
272
+ end
273
+
274
+ attr_reader :default_index
275
+ attr_reader :default_ilm_rollover_alias
276
+ attr_reader :default_template_name
277
+
245
278
  # @override to handle proxy => '' as if none was set
246
279
  def config_init(params)
247
280
  proxy = params['proxy']
data/lib/logstash/outputs/elasticsearch/common.rb CHANGED
@@ -60,8 +60,8 @@ module LogStash; module Outputs; class ElasticSearch;
60
60
  !!maximum_seen_major_version
61
61
  end
62
62
 
63
- def use_event_type?(client)
64
- client.maximum_seen_major_version < 8
63
+ def use_event_type?
64
+ maximum_seen_major_version < 8
65
65
  end
66
66
 
67
67
  # Convert the event into a 3-tuple of action, params, and event
@@ -74,7 +74,7 @@ module LogStash; module Outputs; class ElasticSearch;
74
74
  routing_field_name => @routing ? event.sprintf(@routing) : nil
75
75
  }
76
76
 
77
- params[:_type] = get_event_type(event) if use_event_type?(client)
77
+ params[:_type] = get_event_type(event) if use_event_type?
78
78
 
79
79
  if @pipeline
80
80
  params[:pipeline] = event.sprintf(@pipeline)
@@ -347,11 +347,11 @@ module LogStash; module Outputs; class ElasticSearch;
347
347
  type = if @document_type
348
348
  event.sprintf(@document_type)
349
349
  else
350
- if client.maximum_seen_major_version < 6
350
+ if maximum_seen_major_version < 6
351
351
  event.get("type") || DEFAULT_EVENT_TYPE_ES6
352
- elsif client.maximum_seen_major_version == 6
352
+ elsif maximum_seen_major_version == 6
353
353
  DEFAULT_EVENT_TYPE_ES6
354
- elsif client.maximum_seen_major_version == 7
354
+ elsif maximum_seen_major_version == 7
355
355
  DEFAULT_EVENT_TYPE_ES7
356
356
  else
357
357
  nil
@@ -436,7 +436,7 @@ module LogStash; module Outputs; class ElasticSearch;
436
436
  end
437
437
 
438
438
  def default_index?(index)
439
- @index == LogStash::Outputs::ElasticSearch::CommonConfigs::DEFAULT_INDEX_NAME
439
+ @index == @default_index
440
440
  end
441
441
 
442
442
  def dlq_enabled?
data/lib/logstash/outputs/elasticsearch/common_configs.rb CHANGED
@@ -17,7 +17,7 @@ module LogStash; module Outputs; class ElasticSearch
17
17
  # For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}.
18
18
  # LS uses Joda to format the index pattern from event timestamp.
19
19
  # Joda formats are defined http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[here].
20
- mod.config :index, :validate => :string, :default => DEFAULT_INDEX_NAME
20
+ mod.config :index, :validate => :string
21
21
 
22
22
  mod.config :document_type,
23
23
  :validate => :string,
@@ -44,7 +44,7 @@ module LogStash; module Outputs; class ElasticSearch
44
44
  # `curl -XDELETE <http://localhost:9200/_template/OldTemplateName?pretty>`
45
45
  #
46
46
  # where `OldTemplateName` is whatever the former setting was.
47
- mod.config :template_name, :validate => :string, :default => "logstash"
47
+ mod.config :template_name, :validate => :string
48
48
 
49
49
  # You can set the path to your own template here, if you so desire.
50
50
  # If not set, the included template will be used.
@@ -153,7 +153,7 @@ module LogStash; module Outputs; class ElasticSearch
153
153
  mod.config :ilm_enabled, :validate => [true, false, 'true', 'false', 'auto'], :default => 'auto'
154
154
 
155
155
  # Rollover alias used for indexing data. If rollover alias doesn't exist, Logstash will create it and map it to the relevant index
156
- mod.config :ilm_rollover_alias, :validate => :string, :default => DEFAULT_ROLLOVER_ALIAS
156
+ mod.config :ilm_rollover_alias, :validate => :string
157
157
 
158
158
  # appends “{now/d}-000001” by default for new index creation, subsequent rollover indices will increment based on this pattern i.e. “000002”
159
159
  # {now/d} is date math, and will insert the appropriate value automatically.
data/lib/logstash/outputs/elasticsearch/ilm.rb CHANGED
@@ -12,7 +12,7 @@ module LogStash; module Outputs; class ElasticSearch
12
12
  end
13
13
 
14
14
  def default_rollover_alias?(rollover_alias)
15
- rollover_alias == LogStash::Outputs::ElasticSearch::DEFAULT_ROLLOVER_ALIAS
15
+ rollover_alias == default_ilm_rollover_alias
16
16
  end
17
17
 
18
18
  def ilm_alias_set?
data/lib/logstash/outputs/elasticsearch/template_manager.rb CHANGED
@@ -3,14 +3,15 @@ module LogStash; module Outputs; class ElasticSearch
3
3
  # To be mixed into the elasticsearch plugin base
4
4
  def self.install_template(plugin)
5
5
  return unless plugin.manage_template
6
- if plugin.template.nil?
7
- plugin.logger.info("Using default mapping template")
8
- else
6
+ if plugin.template
9
7
  plugin.logger.info("Using mapping template from", :path => plugin.template)
8
+ template = read_template_file(plugin.template)
9
+ else
10
+ plugin.logger.info("Using a default mapping template", :es_version => plugin.maximum_seen_major_version,
11
+ :ecs_compatibility => plugin.ecs_compatibility)
12
+ template = load_default_template(plugin.maximum_seen_major_version, plugin.ecs_compatibility)
10
13
  end
11
14
 
12
-
13
- template = get_template(plugin.template, plugin.maximum_seen_major_version)
14
15
  add_ilm_settings_to_template(plugin, template) if plugin.ilm_in_use?
15
16
  plugin.logger.info("Attempting to install template", :manage_template => template)
16
17
  install(plugin.client, template_name(plugin), template, plugin.template_overwrite)
@@ -19,9 +20,11 @@ module LogStash; module Outputs; class ElasticSearch
19
20
  end
20
21
 
21
22
  private
22
- def self.get_template(path, es_major_version)
23
- template_path = path || default_template_path(es_major_version)
23
+ def self.load_default_template(es_major_version, ecs_compatibility)
24
+ template_path = default_template_path(es_major_version, ecs_compatibility)
24
25
  read_template_file(template_path)
26
+ rescue => e
27
+ fail "Failed to load default template for Elasticsearch v#{es_major_version} with ECS #{ecs_compatibility}; caused by: #{e.inspect}"
25
28
  end
26
29
 
27
30
  def self.install(client, template_name, template, template_overwrite)
@@ -46,9 +49,9 @@ module LogStash; module Outputs; class ElasticSearch
46
49
  plugin.ilm_in_use? && !plugin.original_params.key?('template_name') ? plugin.ilm_rollover_alias : plugin.template_name
47
50
  end
48
51
 
49
- def self.default_template_path(es_major_version)
52
+ def self.default_template_path(es_major_version, ecs_compatibility=:disabled)
50
53
  template_version = es_major_version == 1 ? 2 : es_major_version
51
- default_template_name = "elasticsearch-template-es#{template_version}x.json"
54
+ default_template_name = "templates/ecs-#{ecs_compatibility}/elasticsearch-#{template_version}x.json"
52
55
  ::File.expand_path(default_template_name, ::File.dirname(__FILE__))
53
56
  end
54
57
 
data/lib/logstash/outputs/elasticsearch/templates/ecs-v1/elasticsearch-6x.json ADDED
@@ -0,0 +1,2950 @@
1
+ {
2
+ "index_patterns": [
3
+ "ecs-logstash-*"
4
+ ],
5
+ "mappings": {
6
+ "_doc": {
7
+ "_meta": {
8
+ "version": "1.5.0"
9
+ },
10
+ "date_detection": false,
11
+ "dynamic_templates": [
12
+ {
13
+ "strings_as_keyword": {
14
+ "mapping": {
15
+ "ignore_above": 1024,
16
+ "type": "keyword"
17
+ },
18
+ "match_mapping_type": "string"
19
+ }
20
+ }
21
+ ],
22
+ "properties": {
23
+ "@timestamp": {
24
+ "type": "date"
25
+ },
26
+ "agent": {
27
+ "properties": {
28
+ "ephemeral_id": {
29
+ "ignore_above": 1024,
30
+ "type": "keyword"
31
+ },
32
+ "id": {
33
+ "ignore_above": 1024,
34
+ "type": "keyword"
35
+ },
36
+ "name": {
37
+ "ignore_above": 1024,
38
+ "type": "keyword"
39
+ },
40
+ "type": {
41
+ "ignore_above": 1024,
42
+ "type": "keyword"
43
+ },
44
+ "version": {
45
+ "ignore_above": 1024,
46
+ "type": "keyword"
47
+ }
48
+ }
49
+ },
50
+ "as": {
51
+ "properties": {
52
+ "number": {
53
+ "type": "long"
54
+ },
55
+ "organization": {
56
+ "properties": {
57
+ "name": {
58
+ "fields": {
59
+ "text": {
60
+ "norms": false,
61
+ "type": "text"
62
+ }
63
+ },
64
+ "ignore_above": 1024,
65
+ "type": "keyword"
66
+ }
67
+ }
68
+ }
69
+ }
70
+ },
71
+ "client": {
72
+ "properties": {
73
+ "address": {
74
+ "ignore_above": 1024,
75
+ "type": "keyword"
76
+ },
77
+ "as": {
78
+ "properties": {
79
+ "number": {
80
+ "type": "long"
81
+ },
82
+ "organization": {
83
+ "properties": {
84
+ "name": {
85
+ "fields": {
86
+ "text": {
87
+ "norms": false,
88
+ "type": "text"
89
+ }
90
+ },
91
+ "ignore_above": 1024,
92
+ "type": "keyword"
93
+ }
94
+ }
95
+ }
96
+ }
97
+ },
98
+ "bytes": {
99
+ "type": "long"
100
+ },
101
+ "domain": {
102
+ "ignore_above": 1024,
103
+ "type": "keyword"
104
+ },
105
+ "geo": {
106
+ "properties": {
107
+ "city_name": {
108
+ "ignore_above": 1024,
109
+ "type": "keyword"
110
+ },
111
+ "continent_name": {
112
+ "ignore_above": 1024,
113
+ "type": "keyword"
114
+ },
115
+ "country_iso_code": {
116
+ "ignore_above": 1024,
117
+ "type": "keyword"
118
+ },
119
+ "country_name": {
120
+ "ignore_above": 1024,
121
+ "type": "keyword"
122
+ },
123
+ "location": {
124
+ "type": "geo_point"
125
+ },
126
+ "name": {
127
+ "ignore_above": 1024,
128
+ "type": "keyword"
129
+ },
130
+ "region_iso_code": {
131
+ "ignore_above": 1024,
132
+ "type": "keyword"
133
+ },
134
+ "region_name": {
135
+ "ignore_above": 1024,
136
+ "type": "keyword"
137
+ }
138
+ }
139
+ },
140
+ "ip": {
141
+ "type": "ip"
142
+ },
143
+ "mac": {
144
+ "ignore_above": 1024,
145
+ "type": "keyword"
146
+ },
147
+ "nat": {
148
+ "properties": {
149
+ "ip": {
150
+ "type": "ip"
151
+ },
152
+ "port": {
153
+ "type": "long"
154
+ }
155
+ }
156
+ },
157
+ "packets": {
158
+ "type": "long"
159
+ },
160
+ "port": {
161
+ "type": "long"
162
+ },
163
+ "registered_domain": {
164
+ "ignore_above": 1024,
165
+ "type": "keyword"
166
+ },
167
+ "top_level_domain": {
168
+ "ignore_above": 1024,
169
+ "type": "keyword"
170
+ },
171
+ "user": {
172
+ "properties": {
173
+ "domain": {
174
+ "ignore_above": 1024,
175
+ "type": "keyword"
176
+ },
177
+ "email": {
178
+ "ignore_above": 1024,
179
+ "type": "keyword"
180
+ },
181
+ "full_name": {
182
+ "fields": {
183
+ "text": {
184
+ "norms": false,
185
+ "type": "text"
186
+ }
187
+ },
188
+ "ignore_above": 1024,
189
+ "type": "keyword"
190
+ },
191
+ "group": {
192
+ "properties": {
193
+ "domain": {
194
+ "ignore_above": 1024,
195
+ "type": "keyword"
196
+ },
197
+ "id": {
198
+ "ignore_above": 1024,
199
+ "type": "keyword"
200
+ },
201
+ "name": {
202
+ "ignore_above": 1024,
203
+ "type": "keyword"
204
+ }
205
+ }
206
+ },
207
+ "hash": {
208
+ "ignore_above": 1024,
209
+ "type": "keyword"
210
+ },
211
+ "id": {
212
+ "ignore_above": 1024,
213
+ "type": "keyword"
214
+ },
215
+ "name": {
216
+ "fields": {
217
+ "text": {
218
+ "norms": false,
219
+ "type": "text"
220
+ }
221
+ },
222
+ "ignore_above": 1024,
223
+ "type": "keyword"
224
+ }
225
+ }
226
+ }
227
+ }
228
+ },
229
+ "cloud": {
230
+ "properties": {
231
+ "account": {
232
+ "properties": {
233
+ "id": {
234
+ "ignore_above": 1024,
235
+ "type": "keyword"
236
+ }
237
+ }
238
+ },
239
+ "availability_zone": {
240
+ "ignore_above": 1024,
241
+ "type": "keyword"
242
+ },
243
+ "instance": {
244
+ "properties": {
245
+ "id": {
246
+ "ignore_above": 1024,
247
+ "type": "keyword"
248
+ },
249
+ "name": {
250
+ "ignore_above": 1024,
251
+ "type": "keyword"
252
+ }
253
+ }
254
+ },
255
+ "machine": {
256
+ "properties": {
257
+ "type": {
258
+ "ignore_above": 1024,
259
+ "type": "keyword"
260
+ }
261
+ }
262
+ },
263
+ "provider": {
264
+ "ignore_above": 1024,
265
+ "type": "keyword"
266
+ },
267
+ "region": {
268
+ "ignore_above": 1024,
269
+ "type": "keyword"
270
+ }
271
+ }
272
+ },
273
+ "code_signature": {
274
+ "properties": {
275
+ "exists": {
276
+ "type": "boolean"
277
+ },
278
+ "status": {
279
+ "ignore_above": 1024,
280
+ "type": "keyword"
281
+ },
282
+ "subject_name": {
283
+ "ignore_above": 1024,
284
+ "type": "keyword"
285
+ },
286
+ "trusted": {
287
+ "type": "boolean"
288
+ },
289
+ "valid": {
290
+ "type": "boolean"
291
+ }
292
+ }
293
+ },
294
+ "container": {
295
+ "properties": {
296
+ "id": {
297
+ "ignore_above": 1024,
298
+ "type": "keyword"
299
+ },
300
+ "image": {
301
+ "properties": {
302
+ "name": {
303
+ "ignore_above": 1024,
304
+ "type": "keyword"
305
+ },
306
+ "tag": {
307
+ "ignore_above": 1024,
308
+ "type": "keyword"
309
+ }
310
+ }
311
+ },
312
+ "labels": {
313
+ "type": "object"
314
+ },
315
+ "name": {
316
+ "ignore_above": 1024,
317
+ "type": "keyword"
318
+ },
319
+ "runtime": {
320
+ "ignore_above": 1024,
321
+ "type": "keyword"
322
+ }
323
+ }
324
+ },
325
+ "destination": {
326
+ "properties": {
327
+ "address": {
328
+ "ignore_above": 1024,
329
+ "type": "keyword"
330
+ },
331
+ "as": {
332
+ "properties": {
333
+ "number": {
334
+ "type": "long"
335
+ },
336
+ "organization": {
337
+ "properties": {
338
+ "name": {
339
+ "fields": {
340
+ "text": {
341
+ "norms": false,
342
+ "type": "text"
343
+ }
344
+ },
345
+ "ignore_above": 1024,
346
+ "type": "keyword"
347
+ }
348
+ }
349
+ }
350
+ }
351
+ },
352
+ "bytes": {
353
+ "type": "long"
354
+ },
355
+ "domain": {
356
+ "ignore_above": 1024,
357
+ "type": "keyword"
358
+ },
359
+ "geo": {
360
+ "properties": {
361
+ "city_name": {
362
+ "ignore_above": 1024,
363
+ "type": "keyword"
364
+ },
365
+ "continent_name": {
366
+ "ignore_above": 1024,
367
+ "type": "keyword"
368
+ },
369
+ "country_iso_code": {
370
+ "ignore_above": 1024,
371
+ "type": "keyword"
372
+ },
373
+ "country_name": {
374
+ "ignore_above": 1024,
375
+ "type": "keyword"
376
+ },
377
+ "location": {
378
+ "type": "geo_point"
379
+ },
380
+ "name": {
381
+ "ignore_above": 1024,
382
+ "type": "keyword"
383
+ },
384
+ "region_iso_code": {
385
+ "ignore_above": 1024,
386
+ "type": "keyword"
387
+ },
388
+ "region_name": {
389
+ "ignore_above": 1024,
390
+ "type": "keyword"
391
+ }
392
+ }
393
+ },
394
+ "ip": {
395
+ "type": "ip"
396
+ },
397
+ "mac": {
398
+ "ignore_above": 1024,
399
+ "type": "keyword"
400
+ },
401
+ "nat": {
402
+ "properties": {
403
+ "ip": {
404
+ "type": "ip"
405
+ },
406
+ "port": {
407
+ "type": "long"
408
+ }
409
+ }
410
+ },
411
+ "packets": {
412
+ "type": "long"
413
+ },
414
+ "port": {
415
+ "type": "long"
416
+ },
417
+ "registered_domain": {
418
+ "ignore_above": 1024,
419
+ "type": "keyword"
420
+ },
421
+ "top_level_domain": {
422
+ "ignore_above": 1024,
423
+ "type": "keyword"
424
+ },
425
+ "user": {
426
+ "properties": {
427
+ "domain": {
428
+ "ignore_above": 1024,
429
+ "type": "keyword"
430
+ },
431
+ "email": {
432
+ "ignore_above": 1024,
433
+ "type": "keyword"
434
+ },
435
+ "full_name": {
436
+ "fields": {
437
+ "text": {
438
+ "norms": false,
439
+ "type": "text"
440
+ }
441
+ },
442
+ "ignore_above": 1024,
443
+ "type": "keyword"
444
+ },
445
+ "group": {
446
+ "properties": {
447
+ "domain": {
448
+ "ignore_above": 1024,
449
+ "type": "keyword"
450
+ },
451
+ "id": {
452
+ "ignore_above": 1024,
453
+ "type": "keyword"
454
+ },
455
+ "name": {
456
+ "ignore_above": 1024,
457
+ "type": "keyword"
458
+ }
459
+ }
460
+ },
461
+ "hash": {
462
+ "ignore_above": 1024,
463
+ "type": "keyword"
464
+ },
465
+ "id": {
466
+ "ignore_above": 1024,
467
+ "type": "keyword"
468
+ },
469
+ "name": {
470
+ "fields": {
471
+ "text": {
472
+ "norms": false,
473
+ "type": "text"
474
+ }
475
+ },
476
+ "ignore_above": 1024,
477
+ "type": "keyword"
478
+ }
479
+ }
480
+ }
481
+ }
482
+ },
483
+ "dll": {
484
+ "properties": {
485
+ "code_signature": {
486
+ "properties": {
487
+ "exists": {
488
+ "type": "boolean"
489
+ },
490
+ "status": {
491
+ "ignore_above": 1024,
492
+ "type": "keyword"
493
+ },
494
+ "subject_name": {
495
+ "ignore_above": 1024,
496
+ "type": "keyword"
497
+ },
498
+ "trusted": {
499
+ "type": "boolean"
500
+ },
501
+ "valid": {
502
+ "type": "boolean"
503
+ }
504
+ }
505
+ },
506
+ "hash": {
507
+ "properties": {
508
+ "md5": {
509
+ "ignore_above": 1024,
510
+ "type": "keyword"
511
+ },
512
+ "sha1": {
513
+ "ignore_above": 1024,
514
+ "type": "keyword"
515
+ },
516
+ "sha256": {
517
+ "ignore_above": 1024,
518
+ "type": "keyword"
519
+ },
520
+ "sha512": {
521
+ "ignore_above": 1024,
522
+ "type": "keyword"
523
+ }
524
+ }
525
+ },
526
+ "name": {
527
+ "ignore_above": 1024,
528
+ "type": "keyword"
529
+ },
530
+ "path": {
531
+ "ignore_above": 1024,
532
+ "type": "keyword"
533
+ },
534
+ "pe": {
535
+ "properties": {
536
+ "company": {
537
+ "ignore_above": 1024,
538
+ "type": "keyword"
539
+ },
540
+ "description": {
541
+ "ignore_above": 1024,
542
+ "type": "keyword"
543
+ },
544
+ "file_version": {
545
+ "ignore_above": 1024,
546
+ "type": "keyword"
547
+ },
548
+ "original_file_name": {
549
+ "ignore_above": 1024,
550
+ "type": "keyword"
551
+ },
552
+ "product": {
553
+ "ignore_above": 1024,
554
+ "type": "keyword"
555
+ }
556
+ }
557
+ }
558
+ }
559
+ },
560
+ "dns": {
561
+ "properties": {
562
+ "answers": {
563
+ "properties": {
564
+ "class": {
565
+ "ignore_above": 1024,
566
+ "type": "keyword"
567
+ },
568
+ "data": {
569
+ "ignore_above": 1024,
570
+ "type": "keyword"
571
+ },
572
+ "name": {
573
+ "ignore_above": 1024,
574
+ "type": "keyword"
575
+ },
576
+ "ttl": {
577
+ "type": "long"
578
+ },
579
+ "type": {
580
+ "ignore_above": 1024,
581
+ "type": "keyword"
582
+ }
583
+ },
584
+ "type": "object"
585
+ },
586
+ "header_flags": {
587
+ "ignore_above": 1024,
588
+ "type": "keyword"
589
+ },
590
+ "id": {
591
+ "ignore_above": 1024,
592
+ "type": "keyword"
593
+ },
594
+ "op_code": {
595
+ "ignore_above": 1024,
596
+ "type": "keyword"
597
+ },
598
+ "question": {
599
+ "properties": {
600
+ "class": {
601
+ "ignore_above": 1024,
602
+ "type": "keyword"
603
+ },
604
+ "name": {
605
+ "ignore_above": 1024,
606
+ "type": "keyword"
607
+ },
608
+ "registered_domain": {
609
+ "ignore_above": 1024,
610
+ "type": "keyword"
611
+ },
612
+ "subdomain": {
613
+ "ignore_above": 1024,
614
+ "type": "keyword"
615
+ },
616
+ "top_level_domain": {
617
+ "ignore_above": 1024,
618
+ "type": "keyword"
619
+ },
620
+ "type": {
621
+ "ignore_above": 1024,
622
+ "type": "keyword"
623
+ }
624
+ }
625
+ },
626
+ "resolved_ip": {
627
+ "type": "ip"
628
+ },
629
+ "response_code": {
630
+ "ignore_above": 1024,
631
+ "type": "keyword"
632
+ },
633
+ "type": {
634
+ "ignore_above": 1024,
635
+ "type": "keyword"
636
+ }
637
+ }
638
+ },
639
+ "ecs": {
640
+ "properties": {
641
+ "version": {
642
+ "ignore_above": 1024,
643
+ "type": "keyword"
644
+ }
645
+ }
646
+ },
647
+ "error": {
648
+ "properties": {
649
+ "code": {
650
+ "ignore_above": 1024,
651
+ "type": "keyword"
652
+ },
653
+ "id": {
654
+ "ignore_above": 1024,
655
+ "type": "keyword"
656
+ },
657
+ "message": {
658
+ "norms": false,
659
+ "type": "text"
660
+ },
661
+ "stack_trace": {
662
+ "doc_values": false,
663
+ "fields": {
664
+ "text": {
665
+ "norms": false,
666
+ "type": "text"
667
+ }
668
+ },
669
+ "ignore_above": 1024,
670
+ "index": false,
671
+ "type": "keyword"
672
+ },
673
+ "type": {
674
+ "ignore_above": 1024,
675
+ "type": "keyword"
676
+ }
677
+ }
678
+ },
679
+ "event": {
680
+ "properties": {
681
+ "action": {
682
+ "ignore_above": 1024,
683
+ "type": "keyword"
684
+ },
685
+ "category": {
686
+ "ignore_above": 1024,
687
+ "type": "keyword"
688
+ },
689
+ "code": {
690
+ "ignore_above": 1024,
691
+ "type": "keyword"
692
+ },
693
+ "created": {
694
+ "type": "date"
695
+ },
696
+ "dataset": {
697
+ "ignore_above": 1024,
698
+ "type": "keyword"
699
+ },
700
+ "duration": {
701
+ "type": "long"
702
+ },
703
+ "end": {
704
+ "type": "date"
705
+ },
706
+ "hash": {
707
+ "ignore_above": 1024,
708
+ "type": "keyword"
709
+ },
710
+ "id": {
711
+ "ignore_above": 1024,
712
+ "type": "keyword"
713
+ },
714
+ "ingested": {
715
+ "type": "date"
716
+ },
717
+ "kind": {
718
+ "ignore_above": 1024,
719
+ "type": "keyword"
720
+ },
721
+ "module": {
722
+ "ignore_above": 1024,
723
+ "type": "keyword"
724
+ },
725
+ "original": {
726
+ "doc_values": false,
727
+ "ignore_above": 1024,
728
+ "index": false,
729
+ "type": "keyword"
730
+ },
731
+ "outcome": {
732
+ "ignore_above": 1024,
733
+ "type": "keyword"
734
+ },
735
+ "provider": {
736
+ "ignore_above": 1024,
737
+ "type": "keyword"
738
+ },
739
+ "reference": {
740
+ "ignore_above": 1024,
741
+ "type": "keyword"
742
+ },
743
+ "risk_score": {
744
+ "type": "float"
745
+ },
746
+ "risk_score_norm": {
747
+ "type": "float"
748
+ },
749
+ "sequence": {
750
+ "type": "long"
751
+ },
752
+ "severity": {
753
+ "type": "long"
754
+ },
755
+ "start": {
756
+ "type": "date"
757
+ },
758
+ "timezone": {
759
+ "ignore_above": 1024,
760
+ "type": "keyword"
761
+ },
762
+ "type": {
763
+ "ignore_above": 1024,
764
+ "type": "keyword"
765
+ },
766
+ "url": {
767
+ "ignore_above": 1024,
768
+ "type": "keyword"
769
+ }
770
+ }
771
+ },
772
+ "file": {
773
+ "properties": {
774
+ "accessed": {
775
+ "type": "date"
776
+ },
777
+ "attributes": {
778
+ "ignore_above": 1024,
779
+ "type": "keyword"
780
+ },
781
+ "code_signature": {
782
+ "properties": {
783
+ "exists": {
784
+ "type": "boolean"
785
+ },
786
+ "status": {
787
+ "ignore_above": 1024,
788
+ "type": "keyword"
789
+ },
790
+ "subject_name": {
791
+ "ignore_above": 1024,
792
+ "type": "keyword"
793
+ },
794
+ "trusted": {
795
+ "type": "boolean"
796
+ },
797
+ "valid": {
798
+ "type": "boolean"
799
+ }
800
+ }
801
+ },
802
+ "created": {
803
+ "type": "date"
804
+ },
805
+ "ctime": {
806
+ "type": "date"
807
+ },
808
+ "device": {
809
+ "ignore_above": 1024,
810
+ "type": "keyword"
811
+ },
812
+ "directory": {
813
+ "ignore_above": 1024,
814
+ "type": "keyword"
815
+ },
816
+ "drive_letter": {
817
+ "ignore_above": 1,
818
+ "type": "keyword"
819
+ },
820
+ "extension": {
821
+ "ignore_above": 1024,
822
+ "type": "keyword"
823
+ },
824
+ "gid": {
825
+ "ignore_above": 1024,
826
+ "type": "keyword"
827
+ },
828
+ "group": {
829
+ "ignore_above": 1024,
830
+ "type": "keyword"
831
+ },
832
+ "hash": {
833
+ "properties": {
834
+ "md5": {
835
+ "ignore_above": 1024,
836
+ "type": "keyword"
837
+ },
838
+ "sha1": {
839
+ "ignore_above": 1024,
840
+ "type": "keyword"
841
+ },
842
+ "sha256": {
843
+ "ignore_above": 1024,
844
+ "type": "keyword"
845
+ },
846
+ "sha512": {
847
+ "ignore_above": 1024,
848
+ "type": "keyword"
849
+ }
850
+ }
851
+ },
852
+ "inode": {
853
+ "ignore_above": 1024,
854
+ "type": "keyword"
855
+ },
856
+ "mime_type": {
857
+ "ignore_above": 1024,
858
+ "type": "keyword"
859
+ },
860
+ "mode": {
861
+ "ignore_above": 1024,
862
+ "type": "keyword"
863
+ },
864
+ "mtime": {
865
+ "type": "date"
866
+ },
867
+ "name": {
868
+ "ignore_above": 1024,
869
+ "type": "keyword"
870
+ },
871
+ "owner": {
872
+ "ignore_above": 1024,
873
+ "type": "keyword"
874
+ },
875
+ "path": {
876
+ "fields": {
877
+ "text": {
878
+ "norms": false,
879
+ "type": "text"
880
+ }
881
+ },
882
+ "ignore_above": 1024,
883
+ "type": "keyword"
884
+ },
885
+ "pe": {
886
+ "properties": {
887
+ "company": {
888
+ "ignore_above": 1024,
889
+ "type": "keyword"
890
+ },
891
+ "description": {
892
+ "ignore_above": 1024,
893
+ "type": "keyword"
894
+ },
895
+ "file_version": {
896
+ "ignore_above": 1024,
897
+ "type": "keyword"
898
+ },
899
+ "original_file_name": {
900
+ "ignore_above": 1024,
901
+ "type": "keyword"
902
+ },
903
+ "product": {
904
+ "ignore_above": 1024,
905
+ "type": "keyword"
906
+ }
907
+ }
908
+ },
909
+ "size": {
910
+ "type": "long"
911
+ },
912
+ "target_path": {
913
+ "fields": {
914
+ "text": {
915
+ "norms": false,
916
+ "type": "text"
917
+ }
918
+ },
919
+ "ignore_above": 1024,
920
+ "type": "keyword"
921
+ },
922
+ "type": {
923
+ "ignore_above": 1024,
924
+ "type": "keyword"
925
+ },
926
+ "uid": {
927
+ "ignore_above": 1024,
928
+ "type": "keyword"
929
+ }
930
+ }
931
+ },
932
+ "geo": {
933
+ "properties": {
934
+ "city_name": {
935
+ "ignore_above": 1024,
936
+ "type": "keyword"
937
+ },
938
+ "continent_name": {
939
+ "ignore_above": 1024,
940
+ "type": "keyword"
941
+ },
942
+ "country_iso_code": {
943
+ "ignore_above": 1024,
944
+ "type": "keyword"
945
+ },
946
+ "country_name": {
947
+ "ignore_above": 1024,
948
+ "type": "keyword"
949
+ },
950
+ "location": {
951
+ "type": "geo_point"
952
+ },
953
+ "name": {
954
+ "ignore_above": 1024,
955
+ "type": "keyword"
956
+ },
957
+ "region_iso_code": {
958
+ "ignore_above": 1024,
959
+ "type": "keyword"
960
+ },
961
+ "region_name": {
962
+ "ignore_above": 1024,
963
+ "type": "keyword"
964
+ }
965
+ }
966
+ },
967
+ "group": {
968
+ "properties": {
969
+ "domain": {
970
+ "ignore_above": 1024,
971
+ "type": "keyword"
972
+ },
973
+ "id": {
974
+ "ignore_above": 1024,
975
+ "type": "keyword"
976
+ },
977
+ "name": {
978
+ "ignore_above": 1024,
979
+ "type": "keyword"
980
+ }
981
+ }
982
+ },
983
+ "hash": {
984
+ "properties": {
985
+ "md5": {
986
+ "ignore_above": 1024,
987
+ "type": "keyword"
988
+ },
989
+ "sha1": {
990
+ "ignore_above": 1024,
991
+ "type": "keyword"
992
+ },
993
+ "sha256": {
994
+ "ignore_above": 1024,
995
+ "type": "keyword"
996
+ },
997
+ "sha512": {
998
+ "ignore_above": 1024,
999
+ "type": "keyword"
1000
+ }
1001
+ }
1002
+ },
1003
+ "host": {
1004
+ "properties": {
1005
+ "architecture": {
1006
+ "ignore_above": 1024,
1007
+ "type": "keyword"
1008
+ },
1009
+ "domain": {
1010
+ "ignore_above": 1024,
1011
+ "type": "keyword"
1012
+ },
1013
+ "geo": {
1014
+ "properties": {
1015
+ "city_name": {
1016
+ "ignore_above": 1024,
1017
+ "type": "keyword"
1018
+ },
1019
+ "continent_name": {
1020
+ "ignore_above": 1024,
1021
+ "type": "keyword"
1022
+ },
1023
+ "country_iso_code": {
1024
+ "ignore_above": 1024,
1025
+ "type": "keyword"
1026
+ },
1027
+ "country_name": {
1028
+ "ignore_above": 1024,
1029
+ "type": "keyword"
1030
+ },
1031
+ "location": {
1032
+ "type": "geo_point"
1033
+ },
1034
+ "name": {
1035
+ "ignore_above": 1024,
1036
+ "type": "keyword"
1037
+ },
1038
+ "region_iso_code": {
1039
+ "ignore_above": 1024,
1040
+ "type": "keyword"
1041
+ },
1042
+ "region_name": {
1043
+ "ignore_above": 1024,
1044
+ "type": "keyword"
1045
+ }
1046
+ }
1047
+ },
1048
+ "hostname": {
1049
+ "ignore_above": 1024,
1050
+ "type": "keyword"
1051
+ },
1052
+ "id": {
1053
+ "ignore_above": 1024,
1054
+ "type": "keyword"
1055
+ },
1056
+ "ip": {
1057
+ "type": "ip"
1058
+ },
1059
+ "mac": {
1060
+ "ignore_above": 1024,
1061
+ "type": "keyword"
1062
+ },
1063
+ "name": {
1064
+ "ignore_above": 1024,
1065
+ "type": "keyword"
1066
+ },
1067
+ "os": {
1068
+ "properties": {
1069
+ "family": {
1070
+ "ignore_above": 1024,
1071
+ "type": "keyword"
1072
+ },
1073
+ "full": {
1074
+ "fields": {
1075
+ "text": {
1076
+ "norms": false,
1077
+ "type": "text"
1078
+ }
1079
+ },
1080
+ "ignore_above": 1024,
1081
+ "type": "keyword"
1082
+ },
1083
+ "kernel": {
1084
+ "ignore_above": 1024,
1085
+ "type": "keyword"
1086
+ },
1087
+ "name": {
1088
+ "fields": {
1089
+ "text": {
1090
+ "norms": false,
1091
+ "type": "text"
1092
+ }
1093
+ },
1094
+ "ignore_above": 1024,
1095
+ "type": "keyword"
1096
+ },
1097
+ "platform": {
1098
+ "ignore_above": 1024,
1099
+ "type": "keyword"
1100
+ },
1101
+ "version": {
1102
+ "ignore_above": 1024,
1103
+ "type": "keyword"
1104
+ }
1105
+ }
1106
+ },
1107
+ "type": {
1108
+ "ignore_above": 1024,
1109
+ "type": "keyword"
1110
+ },
1111
+ "uptime": {
1112
+ "type": "long"
1113
+ },
1114
+ "user": {
1115
+ "properties": {
1116
+ "domain": {
1117
+ "ignore_above": 1024,
1118
+ "type": "keyword"
1119
+ },
1120
+ "email": {
1121
+ "ignore_above": 1024,
1122
+ "type": "keyword"
1123
+ },
1124
+ "full_name": {
1125
+ "fields": {
1126
+ "text": {
1127
+ "norms": false,
1128
+ "type": "text"
1129
+ }
1130
+ },
1131
+ "ignore_above": 1024,
1132
+ "type": "keyword"
1133
+ },
1134
+ "group": {
1135
+ "properties": {
1136
+ "domain": {
1137
+ "ignore_above": 1024,
1138
+ "type": "keyword"
1139
+ },
1140
+ "id": {
1141
+ "ignore_above": 1024,
1142
+ "type": "keyword"
1143
+ },
1144
+ "name": {
1145
+ "ignore_above": 1024,
1146
+ "type": "keyword"
1147
+ }
1148
+ }
1149
+ },
1150
+ "hash": {
1151
+ "ignore_above": 1024,
1152
+ "type": "keyword"
1153
+ },
1154
+ "id": {
1155
+ "ignore_above": 1024,
1156
+ "type": "keyword"
1157
+ },
1158
+ "name": {
1159
+ "fields": {
1160
+ "text": {
1161
+ "norms": false,
1162
+ "type": "text"
1163
+ }
1164
+ },
1165
+ "ignore_above": 1024,
1166
+ "type": "keyword"
1167
+ }
1168
+ }
1169
+ }
1170
+ }
1171
+ },
1172
+ "http": {
1173
+ "properties": {
1174
+ "request": {
1175
+ "properties": {
1176
+ "body": {
1177
+ "properties": {
1178
+ "bytes": {
1179
+ "type": "long"
1180
+ },
1181
+ "content": {
1182
+ "fields": {
1183
+ "text": {
1184
+ "norms": false,
1185
+ "type": "text"
1186
+ }
1187
+ },
1188
+ "ignore_above": 1024,
1189
+ "type": "keyword"
1190
+ }
1191
+ }
1192
+ },
1193
+ "bytes": {
1194
+ "type": "long"
1195
+ },
1196
+ "method": {
1197
+ "ignore_above": 1024,
1198
+ "type": "keyword"
1199
+ },
1200
+ "referrer": {
1201
+ "ignore_above": 1024,
1202
+ "type": "keyword"
1203
+ }
1204
+ }
1205
+ },
1206
+ "response": {
1207
+ "properties": {
1208
+ "body": {
1209
+ "properties": {
1210
+ "bytes": {
1211
+ "type": "long"
1212
+ },
1213
+ "content": {
1214
+ "fields": {
1215
+ "text": {
1216
+ "norms": false,
1217
+ "type": "text"
1218
+ }
1219
+ },
1220
+ "ignore_above": 1024,
1221
+ "type": "keyword"
1222
+ }
1223
+ }
1224
+ },
1225
+ "bytes": {
1226
+ "type": "long"
1227
+ },
1228
+ "status_code": {
1229
+ "type": "long"
1230
+ }
1231
+ }
1232
+ },
1233
+ "version": {
1234
+ "ignore_above": 1024,
1235
+ "type": "keyword"
1236
+ }
1237
+ }
1238
+ },
1239
+ "interface": {
1240
+ "properties": {
1241
+ "alias": {
1242
+ "ignore_above": 1024,
1243
+ "type": "keyword"
1244
+ },
1245
+ "id": {
1246
+ "ignore_above": 1024,
1247
+ "type": "keyword"
1248
+ },
1249
+ "name": {
1250
+ "ignore_above": 1024,
1251
+ "type": "keyword"
1252
+ }
1253
+ }
1254
+ },
1255
+ "labels": {
1256
+ "type": "object"
1257
+ },
1258
+ "log": {
1259
+ "properties": {
1260
+ "level": {
1261
+ "ignore_above": 1024,
1262
+ "type": "keyword"
1263
+ },
1264
+ "logger": {
1265
+ "ignore_above": 1024,
1266
+ "type": "keyword"
1267
+ },
1268
+ "origin": {
1269
+ "properties": {
1270
+ "file": {
1271
+ "properties": {
1272
+ "line": {
1273
+ "type": "integer"
1274
+ },
1275
+ "name": {
1276
+ "ignore_above": 1024,
1277
+ "type": "keyword"
1278
+ }
1279
+ }
1280
+ },
1281
+ "function": {
1282
+ "ignore_above": 1024,
1283
+ "type": "keyword"
1284
+ }
1285
+ }
1286
+ },
1287
+ "original": {
1288
+ "doc_values": false,
1289
+ "ignore_above": 1024,
1290
+ "index": false,
1291
+ "type": "keyword"
1292
+ },
1293
+ "syslog": {
1294
+ "properties": {
1295
+ "facility": {
1296
+ "properties": {
1297
+ "code": {
1298
+ "type": "long"
1299
+ },
1300
+ "name": {
1301
+ "ignore_above": 1024,
1302
+ "type": "keyword"
1303
+ }
1304
+ }
1305
+ },
1306
+ "priority": {
1307
+ "type": "long"
1308
+ },
1309
+ "severity": {
1310
+ "properties": {
1311
+ "code": {
1312
+ "type": "long"
1313
+ },
1314
+ "name": {
1315
+ "ignore_above": 1024,
1316
+ "type": "keyword"
1317
+ }
1318
+ }
1319
+ }
1320
+ },
1321
+ "type": "object"
1322
+ }
1323
+ }
1324
+ },
1325
+ "message": {
1326
+ "norms": false,
1327
+ "type": "text"
1328
+ },
1329
+ "network": {
1330
+ "properties": {
1331
+ "application": {
1332
+ "ignore_above": 1024,
1333
+ "type": "keyword"
1334
+ },
1335
+ "bytes": {
1336
+ "type": "long"
1337
+ },
1338
+ "community_id": {
1339
+ "ignore_above": 1024,
1340
+ "type": "keyword"
1341
+ },
1342
+ "direction": {
1343
+ "ignore_above": 1024,
1344
+ "type": "keyword"
1345
+ },
1346
+ "forwarded_ip": {
1347
+ "type": "ip"
1348
+ },
1349
+ "iana_number": {
1350
+ "ignore_above": 1024,
1351
+ "type": "keyword"
1352
+ },
1353
+ "inner": {
1354
+ "properties": {
1355
+ "vlan": {
1356
+ "properties": {
1357
+ "id": {
1358
+ "ignore_above": 1024,
1359
+ "type": "keyword"
1360
+ },
1361
+ "name": {
1362
+ "ignore_above": 1024,
1363
+ "type": "keyword"
1364
+ }
1365
+ }
1366
+ }
1367
+ },
1368
+ "type": "object"
1369
+ },
1370
+ "name": {
1371
+ "ignore_above": 1024,
1372
+ "type": "keyword"
1373
+ },
1374
+ "packets": {
1375
+ "type": "long"
1376
+ },
1377
+ "protocol": {
1378
+ "ignore_above": 1024,
1379
+ "type": "keyword"
1380
+ },
1381
+ "transport": {
1382
+ "ignore_above": 1024,
1383
+ "type": "keyword"
1384
+ },
1385
+ "type": {
1386
+ "ignore_above": 1024,
1387
+ "type": "keyword"
1388
+ },
1389
+ "vlan": {
1390
+ "properties": {
1391
+ "id": {
1392
+ "ignore_above": 1024,
1393
+ "type": "keyword"
1394
+ },
1395
+ "name": {
1396
+ "ignore_above": 1024,
1397
+ "type": "keyword"
1398
+ }
1399
+ }
1400
+ }
1401
+ }
1402
+ },
1403
+ "observer": {
1404
+ "properties": {
1405
+ "egress": {
1406
+ "properties": {
1407
+ "interface": {
1408
+ "properties": {
1409
+ "alias": {
1410
+ "ignore_above": 1024,
1411
+ "type": "keyword"
1412
+ },
1413
+ "id": {
1414
+ "ignore_above": 1024,
1415
+ "type": "keyword"
1416
+ },
1417
+ "name": {
1418
+ "ignore_above": 1024,
1419
+ "type": "keyword"
1420
+ }
1421
+ }
1422
+ },
1423
+ "vlan": {
1424
+ "properties": {
1425
+ "id": {
1426
+ "ignore_above": 1024,
1427
+ "type": "keyword"
1428
+ },
1429
+ "name": {
1430
+ "ignore_above": 1024,
1431
+ "type": "keyword"
1432
+ }
1433
+ }
1434
+ },
1435
+ "zone": {
1436
+ "ignore_above": 1024,
1437
+ "type": "keyword"
1438
+ }
1439
+ },
1440
+ "type": "object"
1441
+ },
1442
+ "geo": {
1443
+ "properties": {
1444
+ "city_name": {
1445
+ "ignore_above": 1024,
1446
+ "type": "keyword"
1447
+ },
1448
+ "continent_name": {
1449
+ "ignore_above": 1024,
1450
+ "type": "keyword"
1451
+ },
1452
+ "country_iso_code": {
1453
+ "ignore_above": 1024,
1454
+ "type": "keyword"
1455
+ },
1456
+ "country_name": {
1457
+ "ignore_above": 1024,
1458
+ "type": "keyword"
1459
+ },
1460
+ "location": {
1461
+ "type": "geo_point"
1462
+ },
1463
+ "name": {
1464
+ "ignore_above": 1024,
1465
+ "type": "keyword"
1466
+ },
1467
+ "region_iso_code": {
1468
+ "ignore_above": 1024,
1469
+ "type": "keyword"
1470
+ },
1471
+ "region_name": {
1472
+ "ignore_above": 1024,
1473
+ "type": "keyword"
1474
+ }
1475
+ }
1476
+ },
1477
+ "hostname": {
1478
+ "ignore_above": 1024,
1479
+ "type": "keyword"
1480
+ },
1481
+ "ingress": {
1482
+ "properties": {
1483
+ "interface": {
1484
+ "properties": {
1485
+ "alias": {
1486
+ "ignore_above": 1024,
1487
+ "type": "keyword"
1488
+ },
1489
+ "id": {
1490
+ "ignore_above": 1024,
1491
+ "type": "keyword"
1492
+ },
1493
+ "name": {
1494
+ "ignore_above": 1024,
1495
+ "type": "keyword"
1496
+ }
1497
+ }
1498
+ },
1499
+ "vlan": {
1500
+ "properties": {
1501
+ "id": {
1502
+ "ignore_above": 1024,
1503
+ "type": "keyword"
1504
+ },
1505
+ "name": {
1506
+ "ignore_above": 1024,
1507
+ "type": "keyword"
1508
+ }
1509
+ }
1510
+ },
1511
+ "zone": {
1512
+ "ignore_above": 1024,
1513
+ "type": "keyword"
1514
+ }
1515
+ },
1516
+ "type": "object"
1517
+ },
1518
+ "ip": {
1519
+ "type": "ip"
1520
+ },
1521
+ "mac": {
1522
+ "ignore_above": 1024,
1523
+ "type": "keyword"
1524
+ },
1525
+ "name": {
1526
+ "ignore_above": 1024,
1527
+ "type": "keyword"
1528
+ },
1529
+ "os": {
1530
+ "properties": {
1531
+ "family": {
1532
+ "ignore_above": 1024,
1533
+ "type": "keyword"
1534
+ },
1535
+ "full": {
1536
+ "fields": {
1537
+ "text": {
1538
+ "norms": false,
1539
+ "type": "text"
1540
+ }
1541
+ },
1542
+ "ignore_above": 1024,
1543
+ "type": "keyword"
1544
+ },
1545
+ "kernel": {
1546
+ "ignore_above": 1024,
1547
+ "type": "keyword"
1548
+ },
1549
+ "name": {
1550
+ "fields": {
1551
+ "text": {
1552
+ "norms": false,
1553
+ "type": "text"
1554
+ }
1555
+ },
1556
+ "ignore_above": 1024,
1557
+ "type": "keyword"
1558
+ },
1559
+ "platform": {
1560
+ "ignore_above": 1024,
1561
+ "type": "keyword"
1562
+ },
1563
+ "version": {
1564
+ "ignore_above": 1024,
1565
+ "type": "keyword"
1566
+ }
1567
+ }
1568
+ },
1569
+ "product": {
1570
+ "ignore_above": 1024,
1571
+ "type": "keyword"
1572
+ },
1573
+ "serial_number": {
1574
+ "ignore_above": 1024,
1575
+ "type": "keyword"
1576
+ },
1577
+ "type": {
1578
+ "ignore_above": 1024,
1579
+ "type": "keyword"
1580
+ },
1581
+ "vendor": {
1582
+ "ignore_above": 1024,
1583
+ "type": "keyword"
1584
+ },
1585
+ "version": {
1586
+ "ignore_above": 1024,
1587
+ "type": "keyword"
1588
+ }
1589
+ }
1590
+ },
1591
+ "organization": {
1592
+ "properties": {
1593
+ "id": {
1594
+ "ignore_above": 1024,
1595
+ "type": "keyword"
1596
+ },
1597
+ "name": {
1598
+ "fields": {
1599
+ "text": {
1600
+ "norms": false,
1601
+ "type": "text"
1602
+ }
1603
+ },
1604
+ "ignore_above": 1024,
1605
+ "type": "keyword"
1606
+ }
1607
+ }
1608
+ },
1609
+ "os": {
1610
+ "properties": {
1611
+ "family": {
1612
+ "ignore_above": 1024,
1613
+ "type": "keyword"
1614
+ },
1615
+ "full": {
1616
+ "fields": {
1617
+ "text": {
1618
+ "norms": false,
1619
+ "type": "text"
1620
+ }
1621
+ },
1622
+ "ignore_above": 1024,
1623
+ "type": "keyword"
1624
+ },
1625
+ "kernel": {
1626
+ "ignore_above": 1024,
1627
+ "type": "keyword"
1628
+ },
1629
+ "name": {
1630
+ "fields": {
1631
+ "text": {
1632
+ "norms": false,
1633
+ "type": "text"
1634
+ }
1635
+ },
1636
+ "ignore_above": 1024,
1637
+ "type": "keyword"
1638
+ },
1639
+ "platform": {
1640
+ "ignore_above": 1024,
1641
+ "type": "keyword"
1642
+ },
1643
+ "version": {
1644
+ "ignore_above": 1024,
1645
+ "type": "keyword"
1646
+ }
1647
+ }
1648
+ },
1649
+ "package": {
1650
+ "properties": {
1651
+ "architecture": {
1652
+ "ignore_above": 1024,
1653
+ "type": "keyword"
1654
+ },
1655
+ "build_version": {
1656
+ "ignore_above": 1024,
1657
+ "type": "keyword"
1658
+ },
1659
+ "checksum": {
1660
+ "ignore_above": 1024,
1661
+ "type": "keyword"
1662
+ },
1663
+ "description": {
1664
+ "ignore_above": 1024,
1665
+ "type": "keyword"
1666
+ },
1667
+ "install_scope": {
1668
+ "ignore_above": 1024,
1669
+ "type": "keyword"
1670
+ },
1671
+ "installed": {
1672
+ "type": "date"
1673
+ },
1674
+ "license": {
1675
+ "ignore_above": 1024,
1676
+ "type": "keyword"
1677
+ },
1678
+ "name": {
1679
+ "ignore_above": 1024,
1680
+ "type": "keyword"
1681
+ },
1682
+ "path": {
1683
+ "ignore_above": 1024,
1684
+ "type": "keyword"
1685
+ },
1686
+ "reference": {
1687
+ "ignore_above": 1024,
1688
+ "type": "keyword"
1689
+ },
1690
+ "size": {
1691
+ "type": "long"
1692
+ },
1693
+ "type": {
1694
+ "ignore_above": 1024,
1695
+ "type": "keyword"
1696
+ },
1697
+ "version": {
1698
+ "ignore_above": 1024,
1699
+ "type": "keyword"
1700
+ }
1701
+ }
1702
+ },
1703
+ "pe": {
1704
+ "properties": {
1705
+ "company": {
1706
+ "ignore_above": 1024,
1707
+ "type": "keyword"
1708
+ },
1709
+ "description": {
1710
+ "ignore_above": 1024,
1711
+ "type": "keyword"
1712
+ },
1713
+ "file_version": {
1714
+ "ignore_above": 1024,
1715
+ "type": "keyword"
1716
+ },
1717
+ "original_file_name": {
1718
+ "ignore_above": 1024,
1719
+ "type": "keyword"
1720
+ },
1721
+ "product": {
1722
+ "ignore_above": 1024,
1723
+ "type": "keyword"
1724
+ }
1725
+ }
1726
+ },
1727
+ "process": {
1728
+ "properties": {
1729
+ "args": {
1730
+ "ignore_above": 1024,
1731
+ "type": "keyword"
1732
+ },
1733
+ "args_count": {
1734
+ "type": "long"
1735
+ },
1736
+ "code_signature": {
1737
+ "properties": {
1738
+ "exists": {
1739
+ "type": "boolean"
1740
+ },
1741
+ "status": {
1742
+ "ignore_above": 1024,
1743
+ "type": "keyword"
1744
+ },
1745
+ "subject_name": {
1746
+ "ignore_above": 1024,
1747
+ "type": "keyword"
1748
+ },
1749
+ "trusted": {
1750
+ "type": "boolean"
1751
+ },
1752
+ "valid": {
1753
+ "type": "boolean"
1754
+ }
1755
+ }
1756
+ },
1757
+ "command_line": {
1758
+ "fields": {
1759
+ "text": {
1760
+ "norms": false,
1761
+ "type": "text"
1762
+ }
1763
+ },
1764
+ "ignore_above": 1024,
1765
+ "type": "keyword"
1766
+ },
1767
+ "entity_id": {
1768
+ "ignore_above": 1024,
1769
+ "type": "keyword"
1770
+ },
1771
+ "executable": {
1772
+ "fields": {
1773
+ "text": {
1774
+ "norms": false,
1775
+ "type": "text"
1776
+ }
1777
+ },
1778
+ "ignore_above": 1024,
1779
+ "type": "keyword"
1780
+ },
1781
+ "exit_code": {
1782
+ "type": "long"
1783
+ },
1784
+ "hash": {
1785
+ "properties": {
1786
+ "md5": {
1787
+ "ignore_above": 1024,
1788
+ "type": "keyword"
1789
+ },
1790
+ "sha1": {
1791
+ "ignore_above": 1024,
1792
+ "type": "keyword"
1793
+ },
1794
+ "sha256": {
1795
+ "ignore_above": 1024,
1796
+ "type": "keyword"
1797
+ },
1798
+ "sha512": {
1799
+ "ignore_above": 1024,
1800
+ "type": "keyword"
1801
+ }
1802
+ }
1803
+ },
1804
+ "name": {
1805
+ "fields": {
1806
+ "text": {
1807
+ "norms": false,
1808
+ "type": "text"
1809
+ }
1810
+ },
1811
+ "ignore_above": 1024,
1812
+ "type": "keyword"
1813
+ },
1814
+ "parent": {
1815
+ "properties": {
1816
+ "args": {
1817
+ "ignore_above": 1024,
1818
+ "type": "keyword"
1819
+ },
1820
+ "args_count": {
1821
+ "type": "long"
1822
+ },
1823
+ "code_signature": {
1824
+ "properties": {
1825
+ "exists": {
1826
+ "type": "boolean"
1827
+ },
1828
+ "status": {
1829
+ "ignore_above": 1024,
1830
+ "type": "keyword"
1831
+ },
1832
+ "subject_name": {
1833
+ "ignore_above": 1024,
1834
+ "type": "keyword"
1835
+ },
1836
+ "trusted": {
1837
+ "type": "boolean"
1838
+ },
1839
+ "valid": {
1840
+ "type": "boolean"
1841
+ }
1842
+ }
1843
+ },
1844
+ "command_line": {
1845
+ "fields": {
1846
+ "text": {
1847
+ "norms": false,
1848
+ "type": "text"
1849
+ }
1850
+ },
1851
+ "ignore_above": 1024,
1852
+ "type": "keyword"
1853
+ },
1854
+ "entity_id": {
1855
+ "ignore_above": 1024,
1856
+ "type": "keyword"
1857
+ },
1858
+ "executable": {
1859
+ "fields": {
1860
+ "text": {
1861
+ "norms": false,
1862
+ "type": "text"
1863
+ }
1864
+ },
1865
+ "ignore_above": 1024,
1866
+ "type": "keyword"
1867
+ },
1868
+ "exit_code": {
1869
+ "type": "long"
1870
+ },
1871
+ "hash": {
1872
+ "properties": {
1873
+ "md5": {
1874
+ "ignore_above": 1024,
1875
+ "type": "keyword"
1876
+ },
1877
+ "sha1": {
1878
+ "ignore_above": 1024,
1879
+ "type": "keyword"
1880
+ },
1881
+ "sha256": {
1882
+ "ignore_above": 1024,
1883
+ "type": "keyword"
1884
+ },
1885
+ "sha512": {
1886
+ "ignore_above": 1024,
1887
+ "type": "keyword"
1888
+ }
1889
+ }
1890
+ },
1891
+ "name": {
1892
+ "fields": {
1893
+ "text": {
1894
+ "norms": false,
1895
+ "type": "text"
1896
+ }
1897
+ },
1898
+ "ignore_above": 1024,
1899
+ "type": "keyword"
1900
+ },
1901
+ "pgid": {
1902
+ "type": "long"
1903
+ },
1904
+ "pid": {
1905
+ "type": "long"
1906
+ },
1907
+ "ppid": {
1908
+ "type": "long"
1909
+ },
1910
+ "start": {
1911
+ "type": "date"
1912
+ },
1913
+ "thread": {
1914
+ "properties": {
1915
+ "id": {
1916
+ "type": "long"
1917
+ },
1918
+ "name": {
1919
+ "ignore_above": 1024,
1920
+ "type": "keyword"
1921
+ }
1922
+ }
1923
+ },
1924
+ "title": {
1925
+ "fields": {
1926
+ "text": {
1927
+ "norms": false,
1928
+ "type": "text"
1929
+ }
1930
+ },
1931
+ "ignore_above": 1024,
1932
+ "type": "keyword"
1933
+ },
1934
+ "uptime": {
1935
+ "type": "long"
1936
+ },
1937
+ "working_directory": {
1938
+ "fields": {
1939
+ "text": {
1940
+ "norms": false,
1941
+ "type": "text"
1942
+ }
1943
+ },
1944
+ "ignore_above": 1024,
1945
+ "type": "keyword"
1946
+ }
1947
+ }
1948
+ },
1949
+ "pe": {
1950
+ "properties": {
1951
+ "company": {
1952
+ "ignore_above": 1024,
1953
+ "type": "keyword"
1954
+ },
1955
+ "description": {
1956
+ "ignore_above": 1024,
1957
+ "type": "keyword"
1958
+ },
1959
+ "file_version": {
1960
+ "ignore_above": 1024,
1961
+ "type": "keyword"
1962
+ },
1963
+ "original_file_name": {
1964
+ "ignore_above": 1024,
1965
+ "type": "keyword"
1966
+ },
1967
+ "product": {
1968
+ "ignore_above": 1024,
1969
+ "type": "keyword"
1970
+ }
1971
+ }
1972
+ },
1973
+ "pgid": {
1974
+ "type": "long"
1975
+ },
1976
+ "pid": {
1977
+ "type": "long"
1978
+ },
1979
+ "ppid": {
1980
+ "type": "long"
1981
+ },
1982
+ "start": {
1983
+ "type": "date"
1984
+ },
1985
+ "thread": {
1986
+ "properties": {
1987
+ "id": {
1988
+ "type": "long"
1989
+ },
1990
+ "name": {
1991
+ "ignore_above": 1024,
1992
+ "type": "keyword"
1993
+ }
1994
+ }
1995
+ },
1996
+ "title": {
1997
+ "fields": {
1998
+ "text": {
1999
+ "norms": false,
2000
+ "type": "text"
2001
+ }
2002
+ },
2003
+ "ignore_above": 1024,
2004
+ "type": "keyword"
2005
+ },
2006
+ "uptime": {
2007
+ "type": "long"
2008
+ },
2009
+ "working_directory": {
2010
+ "fields": {
2011
+ "text": {
2012
+ "norms": false,
2013
+ "type": "text"
2014
+ }
2015
+ },
2016
+ "ignore_above": 1024,
2017
+ "type": "keyword"
2018
+ }
2019
+ }
2020
+ },
2021
+ "registry": {
2022
+ "properties": {
2023
+ "data": {
2024
+ "properties": {
2025
+ "bytes": {
2026
+ "ignore_above": 1024,
2027
+ "type": "keyword"
2028
+ },
2029
+ "strings": {
2030
+ "ignore_above": 1024,
2031
+ "type": "keyword"
2032
+ },
2033
+ "type": {
2034
+ "ignore_above": 1024,
2035
+ "type": "keyword"
2036
+ }
2037
+ }
2038
+ },
2039
+ "hive": {
2040
+ "ignore_above": 1024,
2041
+ "type": "keyword"
2042
+ },
2043
+ "key": {
2044
+ "ignore_above": 1024,
2045
+ "type": "keyword"
2046
+ },
2047
+ "path": {
2048
+ "ignore_above": 1024,
2049
+ "type": "keyword"
2050
+ },
2051
+ "value": {
2052
+ "ignore_above": 1024,
2053
+ "type": "keyword"
2054
+ }
2055
+ }
2056
+ },
2057
+ "related": {
2058
+ "properties": {
2059
+ "hash": {
2060
+ "ignore_above": 1024,
2061
+ "type": "keyword"
2062
+ },
2063
+ "ip": {
2064
+ "type": "ip"
2065
+ },
2066
+ "user": {
2067
+ "ignore_above": 1024,
2068
+ "type": "keyword"
2069
+ }
2070
+ }
2071
+ },
2072
+ "rule": {
2073
+ "properties": {
2074
+ "author": {
2075
+ "ignore_above": 1024,
2076
+ "type": "keyword"
2077
+ },
2078
+ "category": {
2079
+ "ignore_above": 1024,
2080
+ "type": "keyword"
2081
+ },
2082
+ "description": {
2083
+ "ignore_above": 1024,
2084
+ "type": "keyword"
2085
+ },
2086
+ "id": {
2087
+ "ignore_above": 1024,
2088
+ "type": "keyword"
2089
+ },
2090
+ "license": {
2091
+ "ignore_above": 1024,
2092
+ "type": "keyword"
2093
+ },
2094
+ "name": {
2095
+ "ignore_above": 1024,
2096
+ "type": "keyword"
2097
+ },
2098
+ "reference": {
2099
+ "ignore_above": 1024,
2100
+ "type": "keyword"
2101
+ },
2102
+ "ruleset": {
2103
+ "ignore_above": 1024,
2104
+ "type": "keyword"
2105
+ },
2106
+ "uuid": {
2107
+ "ignore_above": 1024,
2108
+ "type": "keyword"
2109
+ },
2110
+ "version": {
2111
+ "ignore_above": 1024,
2112
+ "type": "keyword"
2113
+ }
2114
+ }
2115
+ },
2116
+ "server": {
2117
+ "properties": {
2118
+ "address": {
2119
+ "ignore_above": 1024,
2120
+ "type": "keyword"
2121
+ },
2122
+ "as": {
2123
+ "properties": {
2124
+ "number": {
2125
+ "type": "long"
2126
+ },
2127
+ "organization": {
2128
+ "properties": {
2129
+ "name": {
2130
+ "fields": {
2131
+ "text": {
2132
+ "norms": false,
2133
+ "type": "text"
2134
+ }
2135
+ },
2136
+ "ignore_above": 1024,
2137
+ "type": "keyword"
2138
+ }
2139
+ }
2140
+ }
2141
+ }
2142
+ },
2143
+ "bytes": {
2144
+ "type": "long"
2145
+ },
2146
+ "domain": {
2147
+ "ignore_above": 1024,
2148
+ "type": "keyword"
2149
+ },
2150
+ "geo": {
2151
+ "properties": {
2152
+ "city_name": {
2153
+ "ignore_above": 1024,
2154
+ "type": "keyword"
2155
+ },
2156
+ "continent_name": {
2157
+ "ignore_above": 1024,
2158
+ "type": "keyword"
2159
+ },
2160
+ "country_iso_code": {
2161
+ "ignore_above": 1024,
2162
+ "type": "keyword"
2163
+ },
2164
+ "country_name": {
2165
+ "ignore_above": 1024,
2166
+ "type": "keyword"
2167
+ },
2168
+ "location": {
2169
+ "type": "geo_point"
2170
+ },
2171
+ "name": {
2172
+ "ignore_above": 1024,
2173
+ "type": "keyword"
2174
+ },
2175
+ "region_iso_code": {
2176
+ "ignore_above": 1024,
2177
+ "type": "keyword"
2178
+ },
2179
+ "region_name": {
2180
+ "ignore_above": 1024,
2181
+ "type": "keyword"
2182
+ }
2183
+ }
2184
+ },
2185
+ "ip": {
2186
+ "type": "ip"
2187
+ },
2188
+ "mac": {
2189
+ "ignore_above": 1024,
2190
+ "type": "keyword"
2191
+ },
2192
+ "nat": {
2193
+ "properties": {
2194
+ "ip": {
2195
+ "type": "ip"
2196
+ },
2197
+ "port": {
2198
+ "type": "long"
2199
+ }
2200
+ }
2201
+ },
2202
+ "packets": {
2203
+ "type": "long"
2204
+ },
2205
+ "port": {
2206
+ "type": "long"
2207
+ },
2208
+ "registered_domain": {
2209
+ "ignore_above": 1024,
2210
+ "type": "keyword"
2211
+ },
2212
+ "top_level_domain": {
2213
+ "ignore_above": 1024,
2214
+ "type": "keyword"
2215
+ },
2216
+ "user": {
2217
+ "properties": {
2218
+ "domain": {
2219
+ "ignore_above": 1024,
2220
+ "type": "keyword"
2221
+ },
2222
+ "email": {
2223
+ "ignore_above": 1024,
2224
+ "type": "keyword"
2225
+ },
2226
+ "full_name": {
2227
+ "fields": {
2228
+ "text": {
2229
+ "norms": false,
2230
+ "type": "text"
2231
+ }
2232
+ },
2233
+ "ignore_above": 1024,
2234
+ "type": "keyword"
2235
+ },
2236
+ "group": {
2237
+ "properties": {
2238
+ "domain": {
2239
+ "ignore_above": 1024,
2240
+ "type": "keyword"
2241
+ },
2242
+ "id": {
2243
+ "ignore_above": 1024,
2244
+ "type": "keyword"
2245
+ },
2246
+ "name": {
2247
+ "ignore_above": 1024,
2248
+ "type": "keyword"
2249
+ }
2250
+ }
2251
+ },
2252
+ "hash": {
2253
+ "ignore_above": 1024,
2254
+ "type": "keyword"
2255
+ },
2256
+ "id": {
2257
+ "ignore_above": 1024,
2258
+ "type": "keyword"
2259
+ },
2260
+ "name": {
2261
+ "fields": {
2262
+ "text": {
2263
+ "norms": false,
2264
+ "type": "text"
2265
+ }
2266
+ },
2267
+ "ignore_above": 1024,
2268
+ "type": "keyword"
2269
+ }
2270
+ }
2271
+ }
2272
+ }
2273
+ },
2274
+ "service": {
2275
+ "properties": {
2276
+ "ephemeral_id": {
2277
+ "ignore_above": 1024,
2278
+ "type": "keyword"
2279
+ },
2280
+ "id": {
2281
+ "ignore_above": 1024,
2282
+ "type": "keyword"
2283
+ },
2284
+ "name": {
2285
+ "ignore_above": 1024,
2286
+ "type": "keyword"
2287
+ },
2288
+ "node": {
2289
+ "properties": {
2290
+ "name": {
2291
+ "ignore_above": 1024,
2292
+ "type": "keyword"
2293
+ }
2294
+ }
2295
+ },
2296
+ "state": {
2297
+ "ignore_above": 1024,
2298
+ "type": "keyword"
2299
+ },
2300
+ "type": {
2301
+ "ignore_above": 1024,
2302
+ "type": "keyword"
2303
+ },
2304
+ "version": {
2305
+ "ignore_above": 1024,
2306
+ "type": "keyword"
2307
+ }
2308
+ }
2309
+ },
2310
+ "source": {
2311
+ "properties": {
2312
+ "address": {
2313
+ "ignore_above": 1024,
2314
+ "type": "keyword"
2315
+ },
2316
+ "as": {
2317
+ "properties": {
2318
+ "number": {
2319
+ "type": "long"
2320
+ },
2321
+ "organization": {
2322
+ "properties": {
2323
+ "name": {
2324
+ "fields": {
2325
+ "text": {
2326
+ "norms": false,
2327
+ "type": "text"
2328
+ }
2329
+ },
2330
+ "ignore_above": 1024,
2331
+ "type": "keyword"
2332
+ }
2333
+ }
2334
+ }
2335
+ }
2336
+ },
2337
+ "bytes": {
2338
+ "type": "long"
2339
+ },
2340
+ "domain": {
2341
+ "ignore_above": 1024,
2342
+ "type": "keyword"
2343
+ },
2344
+ "geo": {
2345
+ "properties": {
2346
+ "city_name": {
2347
+ "ignore_above": 1024,
2348
+ "type": "keyword"
2349
+ },
2350
+ "continent_name": {
2351
+ "ignore_above": 1024,
2352
+ "type": "keyword"
2353
+ },
2354
+ "country_iso_code": {
2355
+ "ignore_above": 1024,
2356
+ "type": "keyword"
2357
+ },
2358
+ "country_name": {
2359
+ "ignore_above": 1024,
2360
+ "type": "keyword"
2361
+ },
2362
+ "location": {
2363
+ "type": "geo_point"
2364
+ },
2365
+ "name": {
2366
+ "ignore_above": 1024,
2367
+ "type": "keyword"
2368
+ },
2369
+ "region_iso_code": {
2370
+ "ignore_above": 1024,
2371
+ "type": "keyword"
2372
+ },
2373
+ "region_name": {
2374
+ "ignore_above": 1024,
2375
+ "type": "keyword"
2376
+ }
2377
+ }
2378
+ },
2379
+ "ip": {
2380
+ "type": "ip"
2381
+ },
2382
+ "mac": {
2383
+ "ignore_above": 1024,
2384
+ "type": "keyword"
2385
+ },
2386
+ "nat": {
2387
+ "properties": {
2388
+ "ip": {
2389
+ "type": "ip"
2390
+ },
2391
+ "port": {
2392
+ "type": "long"
2393
+ }
2394
+ }
2395
+ },
2396
+ "packets": {
2397
+ "type": "long"
2398
+ },
2399
+ "port": {
2400
+ "type": "long"
2401
+ },
2402
+ "registered_domain": {
2403
+ "ignore_above": 1024,
2404
+ "type": "keyword"
2405
+ },
2406
+ "top_level_domain": {
2407
+ "ignore_above": 1024,
2408
+ "type": "keyword"
2409
+ },
2410
+ "user": {
2411
+ "properties": {
2412
+ "domain": {
2413
+ "ignore_above": 1024,
2414
+ "type": "keyword"
2415
+ },
2416
+ "email": {
2417
+ "ignore_above": 1024,
2418
+ "type": "keyword"
2419
+ },
2420
+ "full_name": {
2421
+ "fields": {
2422
+ "text": {
2423
+ "norms": false,
2424
+ "type": "text"
2425
+ }
2426
+ },
2427
+ "ignore_above": 1024,
2428
+ "type": "keyword"
2429
+ },
2430
+ "group": {
2431
+ "properties": {
2432
+ "domain": {
2433
+ "ignore_above": 1024,
2434
+ "type": "keyword"
2435
+ },
2436
+ "id": {
2437
+ "ignore_above": 1024,
2438
+ "type": "keyword"
2439
+ },
2440
+ "name": {
2441
+ "ignore_above": 1024,
2442
+ "type": "keyword"
2443
+ }
2444
+ }
2445
+ },
2446
+ "hash": {
2447
+ "ignore_above": 1024,
2448
+ "type": "keyword"
2449
+ },
2450
+ "id": {
2451
+ "ignore_above": 1024,
2452
+ "type": "keyword"
2453
+ },
2454
+ "name": {
2455
+ "fields": {
2456
+ "text": {
2457
+ "norms": false,
2458
+ "type": "text"
2459
+ }
2460
+ },
2461
+ "ignore_above": 1024,
2462
+ "type": "keyword"
2463
+ }
2464
+ }
2465
+ }
2466
+ }
2467
+ },
2468
+ "tags": {
2469
+ "ignore_above": 1024,
2470
+ "type": "keyword"
2471
+ },
2472
+ "threat": {
2473
+ "properties": {
2474
+ "framework": {
2475
+ "ignore_above": 1024,
2476
+ "type": "keyword"
2477
+ },
2478
+ "tactic": {
2479
+ "properties": {
2480
+ "id": {
2481
+ "ignore_above": 1024,
2482
+ "type": "keyword"
2483
+ },
2484
+ "name": {
2485
+ "ignore_above": 1024,
2486
+ "type": "keyword"
2487
+ },
2488
+ "reference": {
2489
+ "ignore_above": 1024,
2490
+ "type": "keyword"
2491
+ }
2492
+ }
2493
+ },
2494
+ "technique": {
2495
+ "properties": {
2496
+ "id": {
2497
+ "ignore_above": 1024,
2498
+ "type": "keyword"
2499
+ },
2500
+ "name": {
2501
+ "fields": {
2502
+ "text": {
2503
+ "norms": false,
2504
+ "type": "text"
2505
+ }
2506
+ },
2507
+ "ignore_above": 1024,
2508
+ "type": "keyword"
2509
+ },
2510
+ "reference": {
2511
+ "ignore_above": 1024,
2512
+ "type": "keyword"
2513
+ }
2514
+ }
2515
+ }
2516
+ }
2517
+ },
2518
+ "tls": {
2519
+ "properties": {
2520
+ "cipher": {
2521
+ "ignore_above": 1024,
2522
+ "type": "keyword"
2523
+ },
2524
+ "client": {
2525
+ "properties": {
2526
+ "certificate": {
2527
+ "ignore_above": 1024,
2528
+ "type": "keyword"
2529
+ },
2530
+ "certificate_chain": {
2531
+ "ignore_above": 1024,
2532
+ "type": "keyword"
2533
+ },
2534
+ "hash": {
2535
+ "properties": {
2536
+ "md5": {
2537
+ "ignore_above": 1024,
2538
+ "type": "keyword"
2539
+ },
2540
+ "sha1": {
2541
+ "ignore_above": 1024,
2542
+ "type": "keyword"
2543
+ },
2544
+ "sha256": {
2545
+ "ignore_above": 1024,
2546
+ "type": "keyword"
2547
+ }
2548
+ }
2549
+ },
2550
+ "issuer": {
2551
+ "ignore_above": 1024,
2552
+ "type": "keyword"
2553
+ },
2554
+ "ja3": {
2555
+ "ignore_above": 1024,
2556
+ "type": "keyword"
2557
+ },
2558
+ "not_after": {
2559
+ "type": "date"
2560
+ },
2561
+ "not_before": {
2562
+ "type": "date"
2563
+ },
2564
+ "server_name": {
2565
+ "ignore_above": 1024,
2566
+ "type": "keyword"
2567
+ },
2568
+ "subject": {
2569
+ "ignore_above": 1024,
2570
+ "type": "keyword"
2571
+ },
2572
+ "supported_ciphers": {
2573
+ "ignore_above": 1024,
2574
+ "type": "keyword"
2575
+ }
2576
+ }
2577
+ },
2578
+ "curve": {
2579
+ "ignore_above": 1024,
2580
+ "type": "keyword"
2581
+ },
2582
+ "established": {
2583
+ "type": "boolean"
2584
+ },
2585
+ "next_protocol": {
2586
+ "ignore_above": 1024,
2587
+ "type": "keyword"
2588
+ },
2589
+ "resumed": {
2590
+ "type": "boolean"
2591
+ },
2592
+ "server": {
2593
+ "properties": {
2594
+ "certificate": {
2595
+ "ignore_above": 1024,
2596
+ "type": "keyword"
2597
+ },
2598
+ "certificate_chain": {
2599
+ "ignore_above": 1024,
2600
+ "type": "keyword"
2601
+ },
2602
+ "hash": {
2603
+ "properties": {
2604
+ "md5": {
2605
+ "ignore_above": 1024,
2606
+ "type": "keyword"
2607
+ },
2608
+ "sha1": {
2609
+ "ignore_above": 1024,
2610
+ "type": "keyword"
2611
+ },
2612
+ "sha256": {
2613
+ "ignore_above": 1024,
2614
+ "type": "keyword"
2615
+ }
2616
+ }
2617
+ },
2618
+ "issuer": {
2619
+ "ignore_above": 1024,
2620
+ "type": "keyword"
2621
+ },
2622
+ "ja3s": {
2623
+ "ignore_above": 1024,
2624
+ "type": "keyword"
2625
+ },
2626
+ "not_after": {
2627
+ "type": "date"
2628
+ },
2629
+ "not_before": {
2630
+ "type": "date"
2631
+ },
2632
+ "subject": {
2633
+ "ignore_above": 1024,
2634
+ "type": "keyword"
2635
+ }
2636
+ }
2637
+ },
2638
+ "version": {
2639
+ "ignore_above": 1024,
2640
+ "type": "keyword"
2641
+ },
2642
+ "version_protocol": {
2643
+ "ignore_above": 1024,
2644
+ "type": "keyword"
2645
+ }
2646
+ }
2647
+ },
2648
+ "trace": {
2649
+ "properties": {
2650
+ "id": {
2651
+ "ignore_above": 1024,
2652
+ "type": "keyword"
2653
+ }
2654
+ }
2655
+ },
2656
+ "transaction": {
2657
+ "properties": {
2658
+ "id": {
2659
+ "ignore_above": 1024,
2660
+ "type": "keyword"
2661
+ }
2662
+ }
2663
+ },
2664
+ "url": {
2665
+ "properties": {
2666
+ "domain": {
2667
+ "ignore_above": 1024,
2668
+ "type": "keyword"
2669
+ },
2670
+ "extension": {
2671
+ "ignore_above": 1024,
2672
+ "type": "keyword"
2673
+ },
2674
+ "fragment": {
2675
+ "ignore_above": 1024,
2676
+ "type": "keyword"
2677
+ },
2678
+ "full": {
2679
+ "fields": {
2680
+ "text": {
2681
+ "norms": false,
2682
+ "type": "text"
2683
+ }
2684
+ },
2685
+ "ignore_above": 1024,
2686
+ "type": "keyword"
2687
+ },
2688
+ "original": {
2689
+ "fields": {
2690
+ "text": {
2691
+ "norms": false,
2692
+ "type": "text"
2693
+ }
2694
+ },
2695
+ "ignore_above": 1024,
2696
+ "type": "keyword"
2697
+ },
2698
+ "password": {
2699
+ "ignore_above": 1024,
2700
+ "type": "keyword"
2701
+ },
2702
+ "path": {
2703
+ "ignore_above": 1024,
2704
+ "type": "keyword"
2705
+ },
2706
+ "port": {
2707
+ "type": "long"
2708
+ },
2709
+ "query": {
2710
+ "ignore_above": 1024,
2711
+ "type": "keyword"
2712
+ },
2713
+ "registered_domain": {
2714
+ "ignore_above": 1024,
2715
+ "type": "keyword"
2716
+ },
2717
+ "scheme": {
2718
+ "ignore_above": 1024,
2719
+ "type": "keyword"
2720
+ },
2721
+ "top_level_domain": {
2722
+ "ignore_above": 1024,
2723
+ "type": "keyword"
2724
+ },
2725
+ "username": {
2726
+ "ignore_above": 1024,
2727
+ "type": "keyword"
2728
+ }
2729
+ }
2730
+ },
2731
+ "user": {
2732
+ "properties": {
2733
+ "domain": {
2734
+ "ignore_above": 1024,
2735
+ "type": "keyword"
2736
+ },
2737
+ "email": {
2738
+ "ignore_above": 1024,
2739
+ "type": "keyword"
2740
+ },
2741
+ "full_name": {
2742
+ "fields": {
2743
+ "text": {
2744
+ "norms": false,
2745
+ "type": "text"
2746
+ }
2747
+ },
2748
+ "ignore_above": 1024,
2749
+ "type": "keyword"
2750
+ },
2751
+ "group": {
2752
+ "properties": {
2753
+ "domain": {
2754
+ "ignore_above": 1024,
2755
+ "type": "keyword"
2756
+ },
2757
+ "id": {
2758
+ "ignore_above": 1024,
2759
+ "type": "keyword"
2760
+ },
2761
+ "name": {
2762
+ "ignore_above": 1024,
2763
+ "type": "keyword"
2764
+ }
2765
+ }
2766
+ },
2767
+ "hash": {
2768
+ "ignore_above": 1024,
2769
+ "type": "keyword"
2770
+ },
2771
+ "id": {
2772
+ "ignore_above": 1024,
2773
+ "type": "keyword"
2774
+ },
2775
+ "name": {
2776
+ "fields": {
2777
+ "text": {
2778
+ "norms": false,
2779
+ "type": "text"
2780
+ }
2781
+ },
2782
+ "ignore_above": 1024,
2783
+ "type": "keyword"
2784
+ }
2785
+ }
2786
+ },
2787
+ "user_agent": {
2788
+ "properties": {
2789
+ "device": {
2790
+ "properties": {
2791
+ "name": {
2792
+ "ignore_above": 1024,
2793
+ "type": "keyword"
2794
+ }
2795
+ }
2796
+ },
2797
+ "name": {
2798
+ "ignore_above": 1024,
2799
+ "type": "keyword"
2800
+ },
2801
+ "original": {
2802
+ "fields": {
2803
+ "text": {
2804
+ "norms": false,
2805
+ "type": "text"
2806
+ }
2807
+ },
2808
+ "ignore_above": 1024,
2809
+ "type": "keyword"
2810
+ },
2811
+ "os": {
2812
+ "properties": {
2813
+ "family": {
2814
+ "ignore_above": 1024,
2815
+ "type": "keyword"
2816
+ },
2817
+ "full": {
2818
+ "fields": {
2819
+ "text": {
2820
+ "norms": false,
2821
+ "type": "text"
2822
+ }
2823
+ },
2824
+ "ignore_above": 1024,
2825
+ "type": "keyword"
2826
+ },
2827
+ "kernel": {
2828
+ "ignore_above": 1024,
2829
+ "type": "keyword"
2830
+ },
2831
+ "name": {
2832
+ "fields": {
2833
+ "text": {
2834
+ "norms": false,
2835
+ "type": "text"
2836
+ }
2837
+ },
2838
+ "ignore_above": 1024,
2839
+ "type": "keyword"
2840
+ },
2841
+ "platform": {
2842
+ "ignore_above": 1024,
2843
+ "type": "keyword"
2844
+ },
2845
+ "version": {
2846
+ "ignore_above": 1024,
2847
+ "type": "keyword"
2848
+ }
2849
+ }
2850
+ },
2851
+ "version": {
2852
+ "ignore_above": 1024,
2853
+ "type": "keyword"
2854
+ }
2855
+ }
2856
+ },
2857
+ "vlan": {
2858
+ "properties": {
2859
+ "id": {
2860
+ "ignore_above": 1024,
2861
+ "type": "keyword"
2862
+ },
2863
+ "name": {
2864
+ "ignore_above": 1024,
2865
+ "type": "keyword"
2866
+ }
2867
+ }
2868
+ },
2869
+ "vulnerability": {
2870
+ "properties": {
2871
+ "category": {
2872
+ "ignore_above": 1024,
2873
+ "type": "keyword"
2874
+ },
2875
+ "classification": {
2876
+ "ignore_above": 1024,
2877
+ "type": "keyword"
2878
+ },
2879
+ "description": {
2880
+ "fields": {
2881
+ "text": {
2882
+ "norms": false,
2883
+ "type": "text"
2884
+ }
2885
+ },
2886
+ "ignore_above": 1024,
2887
+ "type": "keyword"
2888
+ },
2889
+ "enumeration": {
2890
+ "ignore_above": 1024,
2891
+ "type": "keyword"
2892
+ },
2893
+ "id": {
2894
+ "ignore_above": 1024,
2895
+ "type": "keyword"
2896
+ },
2897
+ "reference": {
2898
+ "ignore_above": 1024,
2899
+ "type": "keyword"
2900
+ },
2901
+ "report_id": {
2902
+ "ignore_above": 1024,
2903
+ "type": "keyword"
2904
+ },
2905
+ "scanner": {
2906
+ "properties": {
2907
+ "vendor": {
2908
+ "ignore_above": 1024,
2909
+ "type": "keyword"
2910
+ }
2911
+ }
2912
+ },
2913
+ "score": {
2914
+ "properties": {
2915
+ "base": {
2916
+ "type": "float"
2917
+ },
2918
+ "environmental": {
2919
+ "type": "float"
2920
+ },
2921
+ "temporal": {
2922
+ "type": "float"
2923
+ },
2924
+ "version": {
2925
+ "ignore_above": 1024,
2926
+ "type": "keyword"
2927
+ }
2928
+ }
2929
+ },
2930
+ "severity": {
2931
+ "ignore_above": 1024,
2932
+ "type": "keyword"
2933
+ }
2934
+ }
2935
+ }
2936
+ }
2937
+ }
2938
+ },
2939
+ "order": 1,
2940
+ "settings": {
2941
+ "index": {
2942
+ "mapping": {
2943
+ "total_fields": {
2944
+ "limit": 10000
2945
+ }
2946
+ },
2947
+ "refresh_interval": "5s"
2948
+ }
2949
+ }
2950
+ }