logtastic 0.1.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (15) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +10 -0
  3. data/CODE_OF_CONDUCT.md +74 -0
  4. data/Gemfile +7 -0
  5. data/Gemfile.lock +41 -0
  6. data/Rakefile +10 -0
  7. data/bin/console +14 -0
  8. data/bin/setup +8 -0
  9. data/lib/logtastic.rb +71 -0
  10. data/lib/logtastic/ecs-template-1.5.json +2948 -0
  11. data/lib/logtastic/ecs.rb +58 -0
  12. data/lib/logtastic/setup.rb +159 -0
  13. data/lib/logtastic/version.rb +5 -0
  14. data/logtastic.gemspec +34 -0
  15. metadata +113 -0
checksums.yaml ADDED
@@ -0,0 +1,7 @@
1
+ ---
2
+ SHA256:
3
+ metadata.gz: a20eafb52d8dd2016a358b2a79bd55629f8d675f791ae192fab2f5ab276417d0
4
+ data.tar.gz: 7ba90f6aa4ad4956adf0c2961ce9f25760c564220436183624248ea6c460f737
5
+ SHA512:
6
+ metadata.gz: ddc3c3136d3512f216369d90041042e33c710e72f99b4723aa9ee1d231627ec4e22eb61fbfe89b1133ed37e31f940d775ab8f6e0922daebbd999a3554600c974
7
+ data.tar.gz: 38e65671087110d62df990d06cf89b222e5ed117342a8fabc651d0c2580be66dabc4f71b963e0f1033b3b3e659158d9261301e3329dae2f0d81b6143fd1e0708
data/.gitignore ADDED
@@ -0,0 +1,10 @@
1
+ /.bundle/
2
+ /.yardoc
3
+ /_yardoc/
4
+ /coverage/
5
+ /doc/
6
+ /pkg/
7
+ /spec/reports/
8
+ /tmp/
9
+ /.byebug_history
10
+ /.ruby-version
data/CODE_OF_CONDUCT.md ADDED
@@ -0,0 +1,74 @@
1
+ # Contributor Covenant Code of Conduct
2
+
3
+ ## Our Pledge
4
+
5
+ In the interest of fostering an open and welcoming environment, we as
6
+ contributors and maintainers pledge to making participation in our project and
7
+ our community a harassment-free experience for everyone, regardless of age, body
8
+ size, disability, ethnicity, gender identity and expression, level of experience,
9
+ nationality, personal appearance, race, religion, or sexual identity and
10
+ orientation.
11
+
12
+ ## Our Standards
13
+
14
+ Examples of behavior that contributes to creating a positive environment
15
+ include:
16
+
17
+ * Using welcoming and inclusive language
18
+ * Being respectful of differing viewpoints and experiences
19
+ * Gracefully accepting constructive criticism
20
+ * Focusing on what is best for the community
21
+ * Showing empathy towards other community members
22
+
23
+ Examples of unacceptable behavior by participants include:
24
+
25
+ * The use of sexualized language or imagery and unwelcome sexual attention or
26
+ advances
27
+ * Trolling, insulting/derogatory comments, and personal or political attacks
28
+ * Public or private harassment
29
+ * Publishing others' private information, such as a physical or electronic
30
+ address, without explicit permission
31
+ * Other conduct which could reasonably be considered inappropriate in a
32
+ professional setting
33
+
34
+ ## Our Responsibilities
35
+
36
+ Project maintainers are responsible for clarifying the standards of acceptable
37
+ behavior and are expected to take appropriate and fair corrective action in
38
+ response to any instances of unacceptable behavior.
39
+
40
+ Project maintainers have the right and responsibility to remove, edit, or
41
+ reject comments, commits, code, wiki edits, issues, and other contributions
42
+ that are not aligned to this Code of Conduct, or to ban temporarily or
43
+ permanently any contributor for other behaviors that they deem inappropriate,
44
+ threatening, offensive, or harmful.
45
+
46
+ ## Scope
47
+
48
+ This Code of Conduct applies both within project spaces and in public spaces
49
+ when an individual is representing the project or its community. Examples of
50
+ representing a project or community include using an official project e-mail
51
+ address, posting via an official social media account, or acting as an appointed
52
+ representative at an online or offline event. Representation of a project may be
53
+ further defined and clarified by project maintainers.
54
+
55
+ ## Enforcement
56
+
57
+ Instances of abusive, harassing, or otherwise unacceptable behavior may be
58
+ reported by contacting the project team at toyorhan@gmail.com. All
59
+ complaints will be reviewed and investigated and will result in a response that
60
+ is deemed necessary and appropriate to the circumstances. The project team is
61
+ obligated to maintain confidentiality with regard to the reporter of an incident.
62
+ Further details of specific enforcement policies may be posted separately.
63
+
64
+ Project maintainers who do not follow or enforce the Code of Conduct in good
65
+ faith may face temporary or permanent repercussions as determined by other
66
+ members of the project's leadership.
67
+
68
+ ## Attribution
69
+
70
+ This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
71
+ available at [https://contributor-covenant.org/version/1/4][version]
72
+
73
+ [homepage]: https://contributor-covenant.org
74
+ [version]: https://contributor-covenant.org/version/1/4/
data/Gemfile ADDED
@@ -0,0 +1,7 @@
1
+ source "https://rubygems.org"
2
+
3
+ # Specify your gem's dependencies in logtastic.gemspec
4
+ gemspec
5
+
6
+ gem "rake", "~> 12.0"
7
+ gem "minitest", "~> 5.0"
data/Gemfile.lock ADDED
@@ -0,0 +1,41 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ logtastic (0.1.0)
5
+ concurrent-ruby
6
+ elasticsearch
7
+ elasticsearch-xpack
8
+
9
+ GEM
10
+ remote: https://rubygems.org/
11
+ specs:
12
+ byebug (11.1.3)
13
+ concurrent-ruby (1.1.7)
14
+ elasticsearch (7.8.1)
15
+ elasticsearch-api (= 7.8.1)
16
+ elasticsearch-transport (= 7.8.1)
17
+ elasticsearch-api (7.8.1)
18
+ multi_json
19
+ elasticsearch-transport (7.8.1)
20
+ faraday (~> 1)
21
+ multi_json
22
+ elasticsearch-xpack (7.8.1)
23
+ elasticsearch-api (>= 6)
24
+ faraday (1.0.1)
25
+ multipart-post (>= 1.2, < 3)
26
+ minitest (5.14.1)
27
+ multi_json (1.15.0)
28
+ multipart-post (2.1.1)
29
+ rake (12.3.3)
30
+
31
+ PLATFORMS
32
+ ruby
33
+
34
+ DEPENDENCIES
35
+ byebug
36
+ logtastic!
37
+ minitest (~> 5.0)
38
+ rake (~> 12.0)
39
+
40
+ BUNDLED WITH
41
+ 2.1.4
data/Rakefile ADDED
@@ -0,0 +1,10 @@
1
+ require "bundler/gem_tasks"
2
+ require "rake/testtask"
3
+
4
+ Rake::TestTask.new(:test) do |t|
5
+ t.libs << "test"
6
+ t.libs << "lib"
7
+ t.test_files = FileList["test/**/*_test.rb"]
8
+ end
9
+
10
+ task :default => :test
data/bin/console ADDED
@@ -0,0 +1,14 @@
1
+ #!/usr/bin/env ruby
2
+
3
+ require "bundler/setup"
4
+ require "logtastic"
5
+
6
+ # You can add fixtures and/or initialization code here to make experimenting
7
+ # with your gem easier. You can also use a different console, if you like.
8
+
9
+ # (If you use this, don't forget to add pry to your Gemfile!)
10
+ # require "pry"
11
+ # Pry.start
12
+
13
+ require "irb"
14
+ IRB.start(__FILE__)
data/bin/setup ADDED
@@ -0,0 +1,8 @@
1
+ #!/usr/bin/env bash
2
+ set -euo pipefail
3
+ IFS=$'\n\t'
4
+ set -vx
5
+
6
+ bundle install
7
+
8
+ # Do any other automated setup that you need to do here
data/lib/logtastic.rb ADDED
@@ -0,0 +1,71 @@
1
+ # frozen_string_literal: true
2
+
3
+ require "logtastic/version"
4
+ require "logtastic/ecs"
5
+ require "elasticsearch"
6
+ require "elasticsearch/xpack"
7
+ require "concurrent/array"
8
+ require "concurrent/timer_task"
9
+
10
+ module Logtastic
11
+ @elasticsearch = {}
12
+ @events = Concurrent::Array.new
13
+ @watching = Concurrent::AtomicBoolean.new(false)
14
+
15
+ TIMER_EXECUTION_INTERVAL = 3 # seconds
16
+ MAX_SLICE_EVENTS = 100
17
+
18
+ class << self
19
+ def elasticsearch(output, options: nil, client: nil)
20
+ if options || client
21
+ @elasticsearch[output] = client || Elasticsearch::Client.new(options)
22
+ else
23
+ @elasticsearch.fetch(output)
24
+ end
25
+ end
26
+
27
+ def ecs(output = :default, **args)
28
+ if output == :default && !@elasticsearch.key?(output)
29
+ elasticsearch(output, client: Elasticsearch::Client.new)
30
+ else
31
+ elasticsearch(output)
32
+ end
33
+
34
+ ECS.new(**args, output: output)
35
+ end
36
+
37
+ def client(output = :default)
38
+ @elasticsearch.fetch(output)
39
+ end
40
+
41
+ def write(output, index:, body:)
42
+ @events << { output: output, index: index, body: body }
43
+ watch
44
+ end
45
+
46
+ def watch(execution_interval: TIMER_EXECUTION_INTERVAL)
47
+ return unless @watching.make_true
48
+
49
+ Concurrent::TimerTask.execute(execution_interval: execution_interval, run_now: true) do
50
+ bulk_index
51
+ end
52
+ end
53
+
54
+ def bulk_index(limit = MAX_SLICE_EVENTS)
55
+ events = @events.slice!(0, limit)
56
+ grouped_events = events.group_by { |event| event.fetch(:output) }
57
+ grouped_events.each do |output, group_events|
58
+ bulk_body = group_events.map do |event|
59
+ {
60
+ index: {
61
+ _index: event.fetch(:index),
62
+ data: event.fetch(:body)
63
+ }
64
+ }
65
+ end
66
+
67
+ client(output).bulk(body: bulk_body)
68
+ end
69
+ end
70
+ end
71
+ end
data/lib/logtastic/ecs-template-1.5.json ADDED
@@ -0,0 +1,2948 @@
1
+ {
2
+ "index_patterns": [
3
+ "ecs-*"
4
+ ],
5
+ "mappings": {
6
+ "_meta": {
7
+ "version": "1.5.0"
8
+ },
9
+ "date_detection": false,
10
+ "dynamic_templates": [
11
+ {
12
+ "strings_as_keyword": {
13
+ "mapping": {
14
+ "ignore_above": 1024,
15
+ "type": "keyword"
16
+ },
17
+ "match_mapping_type": "string"
18
+ }
19
+ }
20
+ ],
21
+ "properties": {
22
+ "@timestamp": {
23
+ "type": "date"
24
+ },
25
+ "agent": {
26
+ "properties": {
27
+ "ephemeral_id": {
28
+ "ignore_above": 1024,
29
+ "type": "keyword"
30
+ },
31
+ "id": {
32
+ "ignore_above": 1024,
33
+ "type": "keyword"
34
+ },
35
+ "name": {
36
+ "ignore_above": 1024,
37
+ "type": "keyword"
38
+ },
39
+ "type": {
40
+ "ignore_above": 1024,
41
+ "type": "keyword"
42
+ },
43
+ "version": {
44
+ "ignore_above": 1024,
45
+ "type": "keyword"
46
+ }
47
+ }
48
+ },
49
+ "as": {
50
+ "properties": {
51
+ "number": {
52
+ "type": "long"
53
+ },
54
+ "organization": {
55
+ "properties": {
56
+ "name": {
57
+ "fields": {
58
+ "text": {
59
+ "norms": false,
60
+ "type": "text"
61
+ }
62
+ },
63
+ "ignore_above": 1024,
64
+ "type": "keyword"
65
+ }
66
+ }
67
+ }
68
+ }
69
+ },
70
+ "client": {
71
+ "properties": {
72
+ "address": {
73
+ "ignore_above": 1024,
74
+ "type": "keyword"
75
+ },
76
+ "as": {
77
+ "properties": {
78
+ "number": {
79
+ "type": "long"
80
+ },
81
+ "organization": {
82
+ "properties": {
83
+ "name": {
84
+ "fields": {
85
+ "text": {
86
+ "norms": false,
87
+ "type": "text"
88
+ }
89
+ },
90
+ "ignore_above": 1024,
91
+ "type": "keyword"
92
+ }
93
+ }
94
+ }
95
+ }
96
+ },
97
+ "bytes": {
98
+ "type": "long"
99
+ },
100
+ "domain": {
101
+ "ignore_above": 1024,
102
+ "type": "keyword"
103
+ },
104
+ "geo": {
105
+ "properties": {
106
+ "city_name": {
107
+ "ignore_above": 1024,
108
+ "type": "keyword"
109
+ },
110
+ "continent_name": {
111
+ "ignore_above": 1024,
112
+ "type": "keyword"
113
+ },
114
+ "country_iso_code": {
115
+ "ignore_above": 1024,
116
+ "type": "keyword"
117
+ },
118
+ "country_name": {
119
+ "ignore_above": 1024,
120
+ "type": "keyword"
121
+ },
122
+ "location": {
123
+ "type": "geo_point"
124
+ },
125
+ "name": {
126
+ "ignore_above": 1024,
127
+ "type": "keyword"
128
+ },
129
+ "region_iso_code": {
130
+ "ignore_above": 1024,
131
+ "type": "keyword"
132
+ },
133
+ "region_name": {
134
+ "ignore_above": 1024,
135
+ "type": "keyword"
136
+ }
137
+ }
138
+ },
139
+ "ip": {
140
+ "type": "ip"
141
+ },
142
+ "mac": {
143
+ "ignore_above": 1024,
144
+ "type": "keyword"
145
+ },
146
+ "nat": {
147
+ "properties": {
148
+ "ip": {
149
+ "type": "ip"
150
+ },
151
+ "port": {
152
+ "type": "long"
153
+ }
154
+ }
155
+ },
156
+ "packets": {
157
+ "type": "long"
158
+ },
159
+ "port": {
160
+ "type": "long"
161
+ },
162
+ "registered_domain": {
163
+ "ignore_above": 1024,
164
+ "type": "keyword"
165
+ },
166
+ "top_level_domain": {
167
+ "ignore_above": 1024,
168
+ "type": "keyword"
169
+ },
170
+ "user": {
171
+ "properties": {
172
+ "domain": {
173
+ "ignore_above": 1024,
174
+ "type": "keyword"
175
+ },
176
+ "email": {
177
+ "ignore_above": 1024,
178
+ "type": "keyword"
179
+ },
180
+ "full_name": {
181
+ "fields": {
182
+ "text": {
183
+ "norms": false,
184
+ "type": "text"
185
+ }
186
+ },
187
+ "ignore_above": 1024,
188
+ "type": "keyword"
189
+ },
190
+ "group": {
191
+ "properties": {
192
+ "domain": {
193
+ "ignore_above": 1024,
194
+ "type": "keyword"
195
+ },
196
+ "id": {
197
+ "ignore_above": 1024,
198
+ "type": "keyword"
199
+ },
200
+ "name": {
201
+ "ignore_above": 1024,
202
+ "type": "keyword"
203
+ }
204
+ }
205
+ },
206
+ "hash": {
207
+ "ignore_above": 1024,
208
+ "type": "keyword"
209
+ },
210
+ "id": {
211
+ "ignore_above": 1024,
212
+ "type": "keyword"
213
+ },
214
+ "name": {
215
+ "fields": {
216
+ "text": {
217
+ "norms": false,
218
+ "type": "text"
219
+ }
220
+ },
221
+ "ignore_above": 1024,
222
+ "type": "keyword"
223
+ }
224
+ }
225
+ }
226
+ }
227
+ },
228
+ "cloud": {
229
+ "properties": {
230
+ "account": {
231
+ "properties": {
232
+ "id": {
233
+ "ignore_above": 1024,
234
+ "type": "keyword"
235
+ }
236
+ }
237
+ },
238
+ "availability_zone": {
239
+ "ignore_above": 1024,
240
+ "type": "keyword"
241
+ },
242
+ "instance": {
243
+ "properties": {
244
+ "id": {
245
+ "ignore_above": 1024,
246
+ "type": "keyword"
247
+ },
248
+ "name": {
249
+ "ignore_above": 1024,
250
+ "type": "keyword"
251
+ }
252
+ }
253
+ },
254
+ "machine": {
255
+ "properties": {
256
+ "type": {
257
+ "ignore_above": 1024,
258
+ "type": "keyword"
259
+ }
260
+ }
261
+ },
262
+ "provider": {
263
+ "ignore_above": 1024,
264
+ "type": "keyword"
265
+ },
266
+ "region": {
267
+ "ignore_above": 1024,
268
+ "type": "keyword"
269
+ }
270
+ }
271
+ },
272
+ "code_signature": {
273
+ "properties": {
274
+ "exists": {
275
+ "type": "boolean"
276
+ },
277
+ "status": {
278
+ "ignore_above": 1024,
279
+ "type": "keyword"
280
+ },
281
+ "subject_name": {
282
+ "ignore_above": 1024,
283
+ "type": "keyword"
284
+ },
285
+ "trusted": {
286
+ "type": "boolean"
287
+ },
288
+ "valid": {
289
+ "type": "boolean"
290
+ }
291
+ }
292
+ },
293
+ "container": {
294
+ "properties": {
295
+ "id": {
296
+ "ignore_above": 1024,
297
+ "type": "keyword"
298
+ },
299
+ "image": {
300
+ "properties": {
301
+ "name": {
302
+ "ignore_above": 1024,
303
+ "type": "keyword"
304
+ },
305
+ "tag": {
306
+ "ignore_above": 1024,
307
+ "type": "keyword"
308
+ }
309
+ }
310
+ },
311
+ "labels": {
312
+ "type": "object"
313
+ },
314
+ "name": {
315
+ "ignore_above": 1024,
316
+ "type": "keyword"
317
+ },
318
+ "runtime": {
319
+ "ignore_above": 1024,
320
+ "type": "keyword"
321
+ }
322
+ }
323
+ },
324
+ "destination": {
325
+ "properties": {
326
+ "address": {
327
+ "ignore_above": 1024,
328
+ "type": "keyword"
329
+ },
330
+ "as": {
331
+ "properties": {
332
+ "number": {
333
+ "type": "long"
334
+ },
335
+ "organization": {
336
+ "properties": {
337
+ "name": {
338
+ "fields": {
339
+ "text": {
340
+ "norms": false,
341
+ "type": "text"
342
+ }
343
+ },
344
+ "ignore_above": 1024,
345
+ "type": "keyword"
346
+ }
347
+ }
348
+ }
349
+ }
350
+ },
351
+ "bytes": {
352
+ "type": "long"
353
+ },
354
+ "domain": {
355
+ "ignore_above": 1024,
356
+ "type": "keyword"
357
+ },
358
+ "geo": {
359
+ "properties": {
360
+ "city_name": {
361
+ "ignore_above": 1024,
362
+ "type": "keyword"
363
+ },
364
+ "continent_name": {
365
+ "ignore_above": 1024,
366
+ "type": "keyword"
367
+ },
368
+ "country_iso_code": {
369
+ "ignore_above": 1024,
370
+ "type": "keyword"
371
+ },
372
+ "country_name": {
373
+ "ignore_above": 1024,
374
+ "type": "keyword"
375
+ },
376
+ "location": {
377
+ "type": "geo_point"
378
+ },
379
+ "name": {
380
+ "ignore_above": 1024,
381
+ "type": "keyword"
382
+ },
383
+ "region_iso_code": {
384
+ "ignore_above": 1024,
385
+ "type": "keyword"
386
+ },
387
+ "region_name": {
388
+ "ignore_above": 1024,
389
+ "type": "keyword"
390
+ }
391
+ }
392
+ },
393
+ "ip": {
394
+ "type": "ip"
395
+ },
396
+ "mac": {
397
+ "ignore_above": 1024,
398
+ "type": "keyword"
399
+ },
400
+ "nat": {
401
+ "properties": {
402
+ "ip": {
403
+ "type": "ip"
404
+ },
405
+ "port": {
406
+ "type": "long"
407
+ }
408
+ }
409
+ },
410
+ "packets": {
411
+ "type": "long"
412
+ },
413
+ "port": {
414
+ "type": "long"
415
+ },
416
+ "registered_domain": {
417
+ "ignore_above": 1024,
418
+ "type": "keyword"
419
+ },
420
+ "top_level_domain": {
421
+ "ignore_above": 1024,
422
+ "type": "keyword"
423
+ },
424
+ "user": {
425
+ "properties": {
426
+ "domain": {
427
+ "ignore_above": 1024,
428
+ "type": "keyword"
429
+ },
430
+ "email": {
431
+ "ignore_above": 1024,
432
+ "type": "keyword"
433
+ },
434
+ "full_name": {
435
+ "fields": {
436
+ "text": {
437
+ "norms": false,
438
+ "type": "text"
439
+ }
440
+ },
441
+ "ignore_above": 1024,
442
+ "type": "keyword"
443
+ },
444
+ "group": {
445
+ "properties": {
446
+ "domain": {
447
+ "ignore_above": 1024,
448
+ "type": "keyword"
449
+ },
450
+ "id": {
451
+ "ignore_above": 1024,
452
+ "type": "keyword"
453
+ },
454
+ "name": {
455
+ "ignore_above": 1024,
456
+ "type": "keyword"
457
+ }
458
+ }
459
+ },
460
+ "hash": {
461
+ "ignore_above": 1024,
462
+ "type": "keyword"
463
+ },
464
+ "id": {
465
+ "ignore_above": 1024,
466
+ "type": "keyword"
467
+ },
468
+ "name": {
469
+ "fields": {
470
+ "text": {
471
+ "norms": false,
472
+ "type": "text"
473
+ }
474
+ },
475
+ "ignore_above": 1024,
476
+ "type": "keyword"
477
+ }
478
+ }
479
+ }
480
+ }
481
+ },
482
+ "dll": {
483
+ "properties": {
484
+ "code_signature": {
485
+ "properties": {
486
+ "exists": {
487
+ "type": "boolean"
488
+ },
489
+ "status": {
490
+ "ignore_above": 1024,
491
+ "type": "keyword"
492
+ },
493
+ "subject_name": {
494
+ "ignore_above": 1024,
495
+ "type": "keyword"
496
+ },
497
+ "trusted": {
498
+ "type": "boolean"
499
+ },
500
+ "valid": {
501
+ "type": "boolean"
502
+ }
503
+ }
504
+ },
505
+ "hash": {
506
+ "properties": {
507
+ "md5": {
508
+ "ignore_above": 1024,
509
+ "type": "keyword"
510
+ },
511
+ "sha1": {
512
+ "ignore_above": 1024,
513
+ "type": "keyword"
514
+ },
515
+ "sha256": {
516
+ "ignore_above": 1024,
517
+ "type": "keyword"
518
+ },
519
+ "sha512": {
520
+ "ignore_above": 1024,
521
+ "type": "keyword"
522
+ }
523
+ }
524
+ },
525
+ "name": {
526
+ "ignore_above": 1024,
527
+ "type": "keyword"
528
+ },
529
+ "path": {
530
+ "ignore_above": 1024,
531
+ "type": "keyword"
532
+ },
533
+ "pe": {
534
+ "properties": {
535
+ "company": {
536
+ "ignore_above": 1024,
537
+ "type": "keyword"
538
+ },
539
+ "description": {
540
+ "ignore_above": 1024,
541
+ "type": "keyword"
542
+ },
543
+ "file_version": {
544
+ "ignore_above": 1024,
545
+ "type": "keyword"
546
+ },
547
+ "original_file_name": {
548
+ "ignore_above": 1024,
549
+ "type": "keyword"
550
+ },
551
+ "product": {
552
+ "ignore_above": 1024,
553
+ "type": "keyword"
554
+ }
555
+ }
556
+ }
557
+ }
558
+ },
559
+ "dns": {
560
+ "properties": {
561
+ "answers": {
562
+ "properties": {
563
+ "class": {
564
+ "ignore_above": 1024,
565
+ "type": "keyword"
566
+ },
567
+ "data": {
568
+ "ignore_above": 1024,
569
+ "type": "keyword"
570
+ },
571
+ "name": {
572
+ "ignore_above": 1024,
573
+ "type": "keyword"
574
+ },
575
+ "ttl": {
576
+ "type": "long"
577
+ },
578
+ "type": {
579
+ "ignore_above": 1024,
580
+ "type": "keyword"
581
+ }
582
+ },
583
+ "type": "object"
584
+ },
585
+ "header_flags": {
586
+ "ignore_above": 1024,
587
+ "type": "keyword"
588
+ },
589
+ "id": {
590
+ "ignore_above": 1024,
591
+ "type": "keyword"
592
+ },
593
+ "op_code": {
594
+ "ignore_above": 1024,
595
+ "type": "keyword"
596
+ },
597
+ "question": {
598
+ "properties": {
599
+ "class": {
600
+ "ignore_above": 1024,
601
+ "type": "keyword"
602
+ },
603
+ "name": {
604
+ "ignore_above": 1024,
605
+ "type": "keyword"
606
+ },
607
+ "registered_domain": {
608
+ "ignore_above": 1024,
609
+ "type": "keyword"
610
+ },
611
+ "subdomain": {
612
+ "ignore_above": 1024,
613
+ "type": "keyword"
614
+ },
615
+ "top_level_domain": {
616
+ "ignore_above": 1024,
617
+ "type": "keyword"
618
+ },
619
+ "type": {
620
+ "ignore_above": 1024,
621
+ "type": "keyword"
622
+ }
623
+ }
624
+ },
625
+ "resolved_ip": {
626
+ "type": "ip"
627
+ },
628
+ "response_code": {
629
+ "ignore_above": 1024,
630
+ "type": "keyword"
631
+ },
632
+ "type": {
633
+ "ignore_above": 1024,
634
+ "type": "keyword"
635
+ }
636
+ }
637
+ },
638
+ "ecs": {
639
+ "properties": {
640
+ "version": {
641
+ "ignore_above": 1024,
642
+ "type": "keyword"
643
+ }
644
+ }
645
+ },
646
+ "error": {
647
+ "properties": {
648
+ "code": {
649
+ "ignore_above": 1024,
650
+ "type": "keyword"
651
+ },
652
+ "id": {
653
+ "ignore_above": 1024,
654
+ "type": "keyword"
655
+ },
656
+ "message": {
657
+ "norms": false,
658
+ "type": "text"
659
+ },
660
+ "stack_trace": {
661
+ "doc_values": false,
662
+ "fields": {
663
+ "text": {
664
+ "norms": false,
665
+ "type": "text"
666
+ }
667
+ },
668
+ "ignore_above": 1024,
669
+ "index": false,
670
+ "type": "keyword"
671
+ },
672
+ "type": {
673
+ "ignore_above": 1024,
674
+ "type": "keyword"
675
+ }
676
+ }
677
+ },
678
+ "event": {
679
+ "properties": {
680
+ "action": {
681
+ "ignore_above": 1024,
682
+ "type": "keyword"
683
+ },
684
+ "category": {
685
+ "ignore_above": 1024,
686
+ "type": "keyword"
687
+ },
688
+ "code": {
689
+ "ignore_above": 1024,
690
+ "type": "keyword"
691
+ },
692
+ "created": {
693
+ "type": "date"
694
+ },
695
+ "dataset": {
696
+ "ignore_above": 1024,
697
+ "type": "keyword"
698
+ },
699
+ "duration": {
700
+ "type": "long"
701
+ },
702
+ "end": {
703
+ "type": "date"
704
+ },
705
+ "hash": {
706
+ "ignore_above": 1024,
707
+ "type": "keyword"
708
+ },
709
+ "id": {
710
+ "ignore_above": 1024,
711
+ "type": "keyword"
712
+ },
713
+ "ingested": {
714
+ "type": "date"
715
+ },
716
+ "kind": {
717
+ "ignore_above": 1024,
718
+ "type": "keyword"
719
+ },
720
+ "module": {
721
+ "ignore_above": 1024,
722
+ "type": "keyword"
723
+ },
724
+ "original": {
725
+ "doc_values": false,
726
+ "ignore_above": 1024,
727
+ "index": false,
728
+ "type": "keyword"
729
+ },
730
+ "outcome": {
731
+ "ignore_above": 1024,
732
+ "type": "keyword"
733
+ },
734
+ "provider": {
735
+ "ignore_above": 1024,
736
+ "type": "keyword"
737
+ },
738
+ "reference": {
739
+ "ignore_above": 1024,
740
+ "type": "keyword"
741
+ },
742
+ "risk_score": {
743
+ "type": "float"
744
+ },
745
+ "risk_score_norm": {
746
+ "type": "float"
747
+ },
748
+ "sequence": {
749
+ "type": "long"
750
+ },
751
+ "severity": {
752
+ "type": "long"
753
+ },
754
+ "start": {
755
+ "type": "date"
756
+ },
757
+ "timezone": {
758
+ "ignore_above": 1024,
759
+ "type": "keyword"
760
+ },
761
+ "type": {
762
+ "ignore_above": 1024,
763
+ "type": "keyword"
764
+ },
765
+ "url": {
766
+ "ignore_above": 1024,
767
+ "type": "keyword"
768
+ }
769
+ }
770
+ },
771
+ "file": {
772
+ "properties": {
773
+ "accessed": {
774
+ "type": "date"
775
+ },
776
+ "attributes": {
777
+ "ignore_above": 1024,
778
+ "type": "keyword"
779
+ },
780
+ "code_signature": {
781
+ "properties": {
782
+ "exists": {
783
+ "type": "boolean"
784
+ },
785
+ "status": {
786
+ "ignore_above": 1024,
787
+ "type": "keyword"
788
+ },
789
+ "subject_name": {
790
+ "ignore_above": 1024,
791
+ "type": "keyword"
792
+ },
793
+ "trusted": {
794
+ "type": "boolean"
795
+ },
796
+ "valid": {
797
+ "type": "boolean"
798
+ }
799
+ }
800
+ },
801
+ "created": {
802
+ "type": "date"
803
+ },
804
+ "ctime": {
805
+ "type": "date"
806
+ },
807
+ "device": {
808
+ "ignore_above": 1024,
809
+ "type": "keyword"
810
+ },
811
+ "directory": {
812
+ "ignore_above": 1024,
813
+ "type": "keyword"
814
+ },
815
+ "drive_letter": {
816
+ "ignore_above": 1,
817
+ "type": "keyword"
818
+ },
819
+ "extension": {
820
+ "ignore_above": 1024,
821
+ "type": "keyword"
822
+ },
823
+ "gid": {
824
+ "ignore_above": 1024,
825
+ "type": "keyword"
826
+ },
827
+ "group": {
828
+ "ignore_above": 1024,
829
+ "type": "keyword"
830
+ },
831
+ "hash": {
832
+ "properties": {
833
+ "md5": {
834
+ "ignore_above": 1024,
835
+ "type": "keyword"
836
+ },
837
+ "sha1": {
838
+ "ignore_above": 1024,
839
+ "type": "keyword"
840
+ },
841
+ "sha256": {
842
+ "ignore_above": 1024,
843
+ "type": "keyword"
844
+ },
845
+ "sha512": {
846
+ "ignore_above": 1024,
847
+ "type": "keyword"
848
+ }
849
+ }
850
+ },
851
+ "inode": {
852
+ "ignore_above": 1024,
853
+ "type": "keyword"
854
+ },
855
+ "mime_type": {
856
+ "ignore_above": 1024,
857
+ "type": "keyword"
858
+ },
859
+ "mode": {
860
+ "ignore_above": 1024,
861
+ "type": "keyword"
862
+ },
863
+ "mtime": {
864
+ "type": "date"
865
+ },
866
+ "name": {
867
+ "ignore_above": 1024,
868
+ "type": "keyword"
869
+ },
870
+ "owner": {
871
+ "ignore_above": 1024,
872
+ "type": "keyword"
873
+ },
874
+ "path": {
875
+ "fields": {
876
+ "text": {
877
+ "norms": false,
878
+ "type": "text"
879
+ }
880
+ },
881
+ "ignore_above": 1024,
882
+ "type": "keyword"
883
+ },
884
+ "pe": {
885
+ "properties": {
886
+ "company": {
887
+ "ignore_above": 1024,
888
+ "type": "keyword"
889
+ },
890
+ "description": {
891
+ "ignore_above": 1024,
892
+ "type": "keyword"
893
+ },
894
+ "file_version": {
895
+ "ignore_above": 1024,
896
+ "type": "keyword"
897
+ },
898
+ "original_file_name": {
899
+ "ignore_above": 1024,
900
+ "type": "keyword"
901
+ },
902
+ "product": {
903
+ "ignore_above": 1024,
904
+ "type": "keyword"
905
+ }
906
+ }
907
+ },
908
+ "size": {
909
+ "type": "long"
910
+ },
911
+ "target_path": {
912
+ "fields": {
913
+ "text": {
914
+ "norms": false,
915
+ "type": "text"
916
+ }
917
+ },
918
+ "ignore_above": 1024,
919
+ "type": "keyword"
920
+ },
921
+ "type": {
922
+ "ignore_above": 1024,
923
+ "type": "keyword"
924
+ },
925
+ "uid": {
926
+ "ignore_above": 1024,
927
+ "type": "keyword"
928
+ }
929
+ }
930
+ },
931
+ "geo": {
932
+ "properties": {
933
+ "city_name": {
934
+ "ignore_above": 1024,
935
+ "type": "keyword"
936
+ },
937
+ "continent_name": {
938
+ "ignore_above": 1024,
939
+ "type": "keyword"
940
+ },
941
+ "country_iso_code": {
942
+ "ignore_above": 1024,
943
+ "type": "keyword"
944
+ },
945
+ "country_name": {
946
+ "ignore_above": 1024,
947
+ "type": "keyword"
948
+ },
949
+ "location": {
950
+ "type": "geo_point"
951
+ },
952
+ "name": {
953
+ "ignore_above": 1024,
954
+ "type": "keyword"
955
+ },
956
+ "region_iso_code": {
957
+ "ignore_above": 1024,
958
+ "type": "keyword"
959
+ },
960
+ "region_name": {
961
+ "ignore_above": 1024,
962
+ "type": "keyword"
963
+ }
964
+ }
965
+ },
966
+ "group": {
967
+ "properties": {
968
+ "domain": {
969
+ "ignore_above": 1024,
970
+ "type": "keyword"
971
+ },
972
+ "id": {
973
+ "ignore_above": 1024,
974
+ "type": "keyword"
975
+ },
976
+ "name": {
977
+ "ignore_above": 1024,
978
+ "type": "keyword"
979
+ }
980
+ }
981
+ },
982
+ "hash": {
983
+ "properties": {
984
+ "md5": {
985
+ "ignore_above": 1024,
986
+ "type": "keyword"
987
+ },
988
+ "sha1": {
989
+ "ignore_above": 1024,
990
+ "type": "keyword"
991
+ },
992
+ "sha256": {
993
+ "ignore_above": 1024,
994
+ "type": "keyword"
995
+ },
996
+ "sha512": {
997
+ "ignore_above": 1024,
998
+ "type": "keyword"
999
+ }
1000
+ }
1001
+ },
1002
+ "host": {
1003
+ "properties": {
1004
+ "architecture": {
1005
+ "ignore_above": 1024,
1006
+ "type": "keyword"
1007
+ },
1008
+ "domain": {
1009
+ "ignore_above": 1024,
1010
+ "type": "keyword"
1011
+ },
1012
+ "geo": {
1013
+ "properties": {
1014
+ "city_name": {
1015
+ "ignore_above": 1024,
1016
+ "type": "keyword"
1017
+ },
1018
+ "continent_name": {
1019
+ "ignore_above": 1024,
1020
+ "type": "keyword"
1021
+ },
1022
+ "country_iso_code": {
1023
+ "ignore_above": 1024,
1024
+ "type": "keyword"
1025
+ },
1026
+ "country_name": {
1027
+ "ignore_above": 1024,
1028
+ "type": "keyword"
1029
+ },
1030
+ "location": {
1031
+ "type": "geo_point"
1032
+ },
1033
+ "name": {
1034
+ "ignore_above": 1024,
1035
+ "type": "keyword"
1036
+ },
1037
+ "region_iso_code": {
1038
+ "ignore_above": 1024,
1039
+ "type": "keyword"
1040
+ },
1041
+ "region_name": {
1042
+ "ignore_above": 1024,
1043
+ "type": "keyword"
1044
+ }
1045
+ }
1046
+ },
1047
+ "hostname": {
1048
+ "ignore_above": 1024,
1049
+ "type": "keyword"
1050
+ },
1051
+ "id": {
1052
+ "ignore_above": 1024,
1053
+ "type": "keyword"
1054
+ },
1055
+ "ip": {
1056
+ "type": "ip"
1057
+ },
1058
+ "mac": {
1059
+ "ignore_above": 1024,
1060
+ "type": "keyword"
1061
+ },
1062
+ "name": {
1063
+ "ignore_above": 1024,
1064
+ "type": "keyword"
1065
+ },
1066
+ "os": {
1067
+ "properties": {
1068
+ "family": {
1069
+ "ignore_above": 1024,
1070
+ "type": "keyword"
1071
+ },
1072
+ "full": {
1073
+ "fields": {
1074
+ "text": {
1075
+ "norms": false,
1076
+ "type": "text"
1077
+ }
1078
+ },
1079
+ "ignore_above": 1024,
1080
+ "type": "keyword"
1081
+ },
1082
+ "kernel": {
1083
+ "ignore_above": 1024,
1084
+ "type": "keyword"
1085
+ },
1086
+ "name": {
1087
+ "fields": {
1088
+ "text": {
1089
+ "norms": false,
1090
+ "type": "text"
1091
+ }
1092
+ },
1093
+ "ignore_above": 1024,
1094
+ "type": "keyword"
1095
+ },
1096
+ "platform": {
1097
+ "ignore_above": 1024,
1098
+ "type": "keyword"
1099
+ },
1100
+ "version": {
1101
+ "ignore_above": 1024,
1102
+ "type": "keyword"
1103
+ }
1104
+ }
1105
+ },
1106
+ "type": {
1107
+ "ignore_above": 1024,
1108
+ "type": "keyword"
1109
+ },
1110
+ "uptime": {
1111
+ "type": "long"
1112
+ },
1113
+ "user": {
1114
+ "properties": {
1115
+ "domain": {
1116
+ "ignore_above": 1024,
1117
+ "type": "keyword"
1118
+ },
1119
+ "email": {
1120
+ "ignore_above": 1024,
1121
+ "type": "keyword"
1122
+ },
1123
+ "full_name": {
1124
+ "fields": {
1125
+ "text": {
1126
+ "norms": false,
1127
+ "type": "text"
1128
+ }
1129
+ },
1130
+ "ignore_above": 1024,
1131
+ "type": "keyword"
1132
+ },
1133
+ "group": {
1134
+ "properties": {
1135
+ "domain": {
1136
+ "ignore_above": 1024,
1137
+ "type": "keyword"
1138
+ },
1139
+ "id": {
1140
+ "ignore_above": 1024,
1141
+ "type": "keyword"
1142
+ },
1143
+ "name": {
1144
+ "ignore_above": 1024,
1145
+ "type": "keyword"
1146
+ }
1147
+ }
1148
+ },
1149
+ "hash": {
1150
+ "ignore_above": 1024,
1151
+ "type": "keyword"
1152
+ },
1153
+ "id": {
1154
+ "ignore_above": 1024,
1155
+ "type": "keyword"
1156
+ },
1157
+ "name": {
1158
+ "fields": {
1159
+ "text": {
1160
+ "norms": false,
1161
+ "type": "text"
1162
+ }
1163
+ },
1164
+ "ignore_above": 1024,
1165
+ "type": "keyword"
1166
+ }
1167
+ }
1168
+ }
1169
+ }
1170
+ },
1171
+ "http": {
1172
+ "properties": {
1173
+ "request": {
1174
+ "properties": {
1175
+ "body": {
1176
+ "properties": {
1177
+ "bytes": {
1178
+ "type": "long"
1179
+ },
1180
+ "content": {
1181
+ "fields": {
1182
+ "text": {
1183
+ "norms": false,
1184
+ "type": "text"
1185
+ }
1186
+ },
1187
+ "ignore_above": 1024,
1188
+ "type": "keyword"
1189
+ }
1190
+ }
1191
+ },
1192
+ "bytes": {
1193
+ "type": "long"
1194
+ },
1195
+ "method": {
1196
+ "ignore_above": 1024,
1197
+ "type": "keyword"
1198
+ },
1199
+ "referrer": {
1200
+ "ignore_above": 1024,
1201
+ "type": "keyword"
1202
+ }
1203
+ }
1204
+ },
1205
+ "response": {
1206
+ "properties": {
1207
+ "body": {
1208
+ "properties": {
1209
+ "bytes": {
1210
+ "type": "long"
1211
+ },
1212
+ "content": {
1213
+ "fields": {
1214
+ "text": {
1215
+ "norms": false,
1216
+ "type": "text"
1217
+ }
1218
+ },
1219
+ "ignore_above": 1024,
1220
+ "type": "keyword"
1221
+ }
1222
+ }
1223
+ },
1224
+ "bytes": {
1225
+ "type": "long"
1226
+ },
1227
+ "status_code": {
1228
+ "type": "long"
1229
+ }
1230
+ }
1231
+ },
1232
+ "version": {
1233
+ "ignore_above": 1024,
1234
+ "type": "keyword"
1235
+ }
1236
+ }
1237
+ },
1238
+ "interface": {
1239
+ "properties": {
1240
+ "alias": {
1241
+ "ignore_above": 1024,
1242
+ "type": "keyword"
1243
+ },
1244
+ "id": {
1245
+ "ignore_above": 1024,
1246
+ "type": "keyword"
1247
+ },
1248
+ "name": {
1249
+ "ignore_above": 1024,
1250
+ "type": "keyword"
1251
+ }
1252
+ }
1253
+ },
1254
+ "labels": {
1255
+ "type": "object"
1256
+ },
1257
+ "log": {
1258
+ "properties": {
1259
+ "level": {
1260
+ "ignore_above": 1024,
1261
+ "type": "keyword"
1262
+ },
1263
+ "logger": {
1264
+ "ignore_above": 1024,
1265
+ "type": "keyword"
1266
+ },
1267
+ "origin": {
1268
+ "properties": {
1269
+ "file": {
1270
+ "properties": {
1271
+ "line": {
1272
+ "type": "integer"
1273
+ },
1274
+ "name": {
1275
+ "ignore_above": 1024,
1276
+ "type": "keyword"
1277
+ }
1278
+ }
1279
+ },
1280
+ "function": {
1281
+ "ignore_above": 1024,
1282
+ "type": "keyword"
1283
+ }
1284
+ }
1285
+ },
1286
+ "original": {
1287
+ "doc_values": false,
1288
+ "ignore_above": 1024,
1289
+ "index": false,
1290
+ "type": "keyword"
1291
+ },
1292
+ "syslog": {
1293
+ "properties": {
1294
+ "facility": {
1295
+ "properties": {
1296
+ "code": {
1297
+ "type": "long"
1298
+ },
1299
+ "name": {
1300
+ "ignore_above": 1024,
1301
+ "type": "keyword"
1302
+ }
1303
+ }
1304
+ },
1305
+ "priority": {
1306
+ "type": "long"
1307
+ },
1308
+ "severity": {
1309
+ "properties": {
1310
+ "code": {
1311
+ "type": "long"
1312
+ },
1313
+ "name": {
1314
+ "ignore_above": 1024,
1315
+ "type": "keyword"
1316
+ }
1317
+ }
1318
+ }
1319
+ },
1320
+ "type": "object"
1321
+ }
1322
+ }
1323
+ },
1324
+ "message": {
1325
+ "norms": false,
1326
+ "type": "text"
1327
+ },
1328
+ "network": {
1329
+ "properties": {
1330
+ "application": {
1331
+ "ignore_above": 1024,
1332
+ "type": "keyword"
1333
+ },
1334
+ "bytes": {
1335
+ "type": "long"
1336
+ },
1337
+ "community_id": {
1338
+ "ignore_above": 1024,
1339
+ "type": "keyword"
1340
+ },
1341
+ "direction": {
1342
+ "ignore_above": 1024,
1343
+ "type": "keyword"
1344
+ },
1345
+ "forwarded_ip": {
1346
+ "type": "ip"
1347
+ },
1348
+ "iana_number": {
1349
+ "ignore_above": 1024,
1350
+ "type": "keyword"
1351
+ },
1352
+ "inner": {
1353
+ "properties": {
1354
+ "vlan": {
1355
+ "properties": {
1356
+ "id": {
1357
+ "ignore_above": 1024,
1358
+ "type": "keyword"
1359
+ },
1360
+ "name": {
1361
+ "ignore_above": 1024,
1362
+ "type": "keyword"
1363
+ }
1364
+ }
1365
+ }
1366
+ },
1367
+ "type": "object"
1368
+ },
1369
+ "name": {
1370
+ "ignore_above": 1024,
1371
+ "type": "keyword"
1372
+ },
1373
+ "packets": {
1374
+ "type": "long"
1375
+ },
1376
+ "protocol": {
1377
+ "ignore_above": 1024,
1378
+ "type": "keyword"
1379
+ },
1380
+ "transport": {
1381
+ "ignore_above": 1024,
1382
+ "type": "keyword"
1383
+ },
1384
+ "type": {
1385
+ "ignore_above": 1024,
1386
+ "type": "keyword"
1387
+ },
1388
+ "vlan": {
1389
+ "properties": {
1390
+ "id": {
1391
+ "ignore_above": 1024,
1392
+ "type": "keyword"
1393
+ },
1394
+ "name": {
1395
+ "ignore_above": 1024,
1396
+ "type": "keyword"
1397
+ }
1398
+ }
1399
+ }
1400
+ }
1401
+ },
1402
+ "observer": {
1403
+ "properties": {
1404
+ "egress": {
1405
+ "properties": {
1406
+ "interface": {
1407
+ "properties": {
1408
+ "alias": {
1409
+ "ignore_above": 1024,
1410
+ "type": "keyword"
1411
+ },
1412
+ "id": {
1413
+ "ignore_above": 1024,
1414
+ "type": "keyword"
1415
+ },
1416
+ "name": {
1417
+ "ignore_above": 1024,
1418
+ "type": "keyword"
1419
+ }
1420
+ }
1421
+ },
1422
+ "vlan": {
1423
+ "properties": {
1424
+ "id": {
1425
+ "ignore_above": 1024,
1426
+ "type": "keyword"
1427
+ },
1428
+ "name": {
1429
+ "ignore_above": 1024,
1430
+ "type": "keyword"
1431
+ }
1432
+ }
1433
+ },
1434
+ "zone": {
1435
+ "ignore_above": 1024,
1436
+ "type": "keyword"
1437
+ }
1438
+ },
1439
+ "type": "object"
1440
+ },
1441
+ "geo": {
1442
+ "properties": {
1443
+ "city_name": {
1444
+ "ignore_above": 1024,
1445
+ "type": "keyword"
1446
+ },
1447
+ "continent_name": {
1448
+ "ignore_above": 1024,
1449
+ "type": "keyword"
1450
+ },
1451
+ "country_iso_code": {
1452
+ "ignore_above": 1024,
1453
+ "type": "keyword"
1454
+ },
1455
+ "country_name": {
1456
+ "ignore_above": 1024,
1457
+ "type": "keyword"
1458
+ },
1459
+ "location": {
1460
+ "type": "geo_point"
1461
+ },
1462
+ "name": {
1463
+ "ignore_above": 1024,
1464
+ "type": "keyword"
1465
+ },
1466
+ "region_iso_code": {
1467
+ "ignore_above": 1024,
1468
+ "type": "keyword"
1469
+ },
1470
+ "region_name": {
1471
+ "ignore_above": 1024,
1472
+ "type": "keyword"
1473
+ }
1474
+ }
1475
+ },
1476
+ "hostname": {
1477
+ "ignore_above": 1024,
1478
+ "type": "keyword"
1479
+ },
1480
+ "ingress": {
1481
+ "properties": {
1482
+ "interface": {
1483
+ "properties": {
1484
+ "alias": {
1485
+ "ignore_above": 1024,
1486
+ "type": "keyword"
1487
+ },
1488
+ "id": {
1489
+ "ignore_above": 1024,
1490
+ "type": "keyword"
1491
+ },
1492
+ "name": {
1493
+ "ignore_above": 1024,
1494
+ "type": "keyword"
1495
+ }
1496
+ }
1497
+ },
1498
+ "vlan": {
1499
+ "properties": {
1500
+ "id": {
1501
+ "ignore_above": 1024,
1502
+ "type": "keyword"
1503
+ },
1504
+ "name": {
1505
+ "ignore_above": 1024,
1506
+ "type": "keyword"
1507
+ }
1508
+ }
1509
+ },
1510
+ "zone": {
1511
+ "ignore_above": 1024,
1512
+ "type": "keyword"
1513
+ }
1514
+ },
1515
+ "type": "object"
1516
+ },
1517
+ "ip": {
1518
+ "type": "ip"
1519
+ },
1520
+ "mac": {
1521
+ "ignore_above": 1024,
1522
+ "type": "keyword"
1523
+ },
1524
+ "name": {
1525
+ "ignore_above": 1024,
1526
+ "type": "keyword"
1527
+ },
1528
+ "os": {
1529
+ "properties": {
1530
+ "family": {
1531
+ "ignore_above": 1024,
1532
+ "type": "keyword"
1533
+ },
1534
+ "full": {
1535
+ "fields": {
1536
+ "text": {
1537
+ "norms": false,
1538
+ "type": "text"
1539
+ }
1540
+ },
1541
+ "ignore_above": 1024,
1542
+ "type": "keyword"
1543
+ },
1544
+ "kernel": {
1545
+ "ignore_above": 1024,
1546
+ "type": "keyword"
1547
+ },
1548
+ "name": {
1549
+ "fields": {
1550
+ "text": {
1551
+ "norms": false,
1552
+ "type": "text"
1553
+ }
1554
+ },
1555
+ "ignore_above": 1024,
1556
+ "type": "keyword"
1557
+ },
1558
+ "platform": {
1559
+ "ignore_above": 1024,
1560
+ "type": "keyword"
1561
+ },
1562
+ "version": {
1563
+ "ignore_above": 1024,
1564
+ "type": "keyword"
1565
+ }
1566
+ }
1567
+ },
1568
+ "product": {
1569
+ "ignore_above": 1024,
1570
+ "type": "keyword"
1571
+ },
1572
+ "serial_number": {
1573
+ "ignore_above": 1024,
1574
+ "type": "keyword"
1575
+ },
1576
+ "type": {
1577
+ "ignore_above": 1024,
1578
+ "type": "keyword"
1579
+ },
1580
+ "vendor": {
1581
+ "ignore_above": 1024,
1582
+ "type": "keyword"
1583
+ },
1584
+ "version": {
1585
+ "ignore_above": 1024,
1586
+ "type": "keyword"
1587
+ }
1588
+ }
1589
+ },
1590
+ "organization": {
1591
+ "properties": {
1592
+ "id": {
1593
+ "ignore_above": 1024,
1594
+ "type": "keyword"
1595
+ },
1596
+ "name": {
1597
+ "fields": {
1598
+ "text": {
1599
+ "norms": false,
1600
+ "type": "text"
1601
+ }
1602
+ },
1603
+ "ignore_above": 1024,
1604
+ "type": "keyword"
1605
+ }
1606
+ }
1607
+ },
1608
+ "os": {
1609
+ "properties": {
1610
+ "family": {
1611
+ "ignore_above": 1024,
1612
+ "type": "keyword"
1613
+ },
1614
+ "full": {
1615
+ "fields": {
1616
+ "text": {
1617
+ "norms": false,
1618
+ "type": "text"
1619
+ }
1620
+ },
1621
+ "ignore_above": 1024,
1622
+ "type": "keyword"
1623
+ },
1624
+ "kernel": {
1625
+ "ignore_above": 1024,
1626
+ "type": "keyword"
1627
+ },
1628
+ "name": {
1629
+ "fields": {
1630
+ "text": {
1631
+ "norms": false,
1632
+ "type": "text"
1633
+ }
1634
+ },
1635
+ "ignore_above": 1024,
1636
+ "type": "keyword"
1637
+ },
1638
+ "platform": {
1639
+ "ignore_above": 1024,
1640
+ "type": "keyword"
1641
+ },
1642
+ "version": {
1643
+ "ignore_above": 1024,
1644
+ "type": "keyword"
1645
+ }
1646
+ }
1647
+ },
1648
+ "package": {
1649
+ "properties": {
1650
+ "architecture": {
1651
+ "ignore_above": 1024,
1652
+ "type": "keyword"
1653
+ },
1654
+ "build_version": {
1655
+ "ignore_above": 1024,
1656
+ "type": "keyword"
1657
+ },
1658
+ "checksum": {
1659
+ "ignore_above": 1024,
1660
+ "type": "keyword"
1661
+ },
1662
+ "description": {
1663
+ "ignore_above": 1024,
1664
+ "type": "keyword"
1665
+ },
1666
+ "install_scope": {
1667
+ "ignore_above": 1024,
1668
+ "type": "keyword"
1669
+ },
1670
+ "installed": {
1671
+ "type": "date"
1672
+ },
1673
+ "license": {
1674
+ "ignore_above": 1024,
1675
+ "type": "keyword"
1676
+ },
1677
+ "name": {
1678
+ "ignore_above": 1024,
1679
+ "type": "keyword"
1680
+ },
1681
+ "path": {
1682
+ "ignore_above": 1024,
1683
+ "type": "keyword"
1684
+ },
1685
+ "reference": {
1686
+ "ignore_above": 1024,
1687
+ "type": "keyword"
1688
+ },
1689
+ "size": {
1690
+ "type": "long"
1691
+ },
1692
+ "type": {
1693
+ "ignore_above": 1024,
1694
+ "type": "keyword"
1695
+ },
1696
+ "version": {
1697
+ "ignore_above": 1024,
1698
+ "type": "keyword"
1699
+ }
1700
+ }
1701
+ },
1702
+ "pe": {
1703
+ "properties": {
1704
+ "company": {
1705
+ "ignore_above": 1024,
1706
+ "type": "keyword"
1707
+ },
1708
+ "description": {
1709
+ "ignore_above": 1024,
1710
+ "type": "keyword"
1711
+ },
1712
+ "file_version": {
1713
+ "ignore_above": 1024,
1714
+ "type": "keyword"
1715
+ },
1716
+ "original_file_name": {
1717
+ "ignore_above": 1024,
1718
+ "type": "keyword"
1719
+ },
1720
+ "product": {
1721
+ "ignore_above": 1024,
1722
+ "type": "keyword"
1723
+ }
1724
+ }
1725
+ },
1726
+ "process": {
1727
+ "properties": {
1728
+ "args": {
1729
+ "ignore_above": 1024,
1730
+ "type": "keyword"
1731
+ },
1732
+ "args_count": {
1733
+ "type": "long"
1734
+ },
1735
+ "code_signature": {
1736
+ "properties": {
1737
+ "exists": {
1738
+ "type": "boolean"
1739
+ },
1740
+ "status": {
1741
+ "ignore_above": 1024,
1742
+ "type": "keyword"
1743
+ },
1744
+ "subject_name": {
1745
+ "ignore_above": 1024,
1746
+ "type": "keyword"
1747
+ },
1748
+ "trusted": {
1749
+ "type": "boolean"
1750
+ },
1751
+ "valid": {
1752
+ "type": "boolean"
1753
+ }
1754
+ }
1755
+ },
1756
+ "command_line": {
1757
+ "fields": {
1758
+ "text": {
1759
+ "norms": false,
1760
+ "type": "text"
1761
+ }
1762
+ },
1763
+ "ignore_above": 1024,
1764
+ "type": "keyword"
1765
+ },
1766
+ "entity_id": {
1767
+ "ignore_above": 1024,
1768
+ "type": "keyword"
1769
+ },
1770
+ "executable": {
1771
+ "fields": {
1772
+ "text": {
1773
+ "norms": false,
1774
+ "type": "text"
1775
+ }
1776
+ },
1777
+ "ignore_above": 1024,
1778
+ "type": "keyword"
1779
+ },
1780
+ "exit_code": {
1781
+ "type": "long"
1782
+ },
1783
+ "hash": {
1784
+ "properties": {
1785
+ "md5": {
1786
+ "ignore_above": 1024,
1787
+ "type": "keyword"
1788
+ },
1789
+ "sha1": {
1790
+ "ignore_above": 1024,
1791
+ "type": "keyword"
1792
+ },
1793
+ "sha256": {
1794
+ "ignore_above": 1024,
1795
+ "type": "keyword"
1796
+ },
1797
+ "sha512": {
1798
+ "ignore_above": 1024,
1799
+ "type": "keyword"
1800
+ }
1801
+ }
1802
+ },
1803
+ "name": {
1804
+ "fields": {
1805
+ "text": {
1806
+ "norms": false,
1807
+ "type": "text"
1808
+ }
1809
+ },
1810
+ "ignore_above": 1024,
1811
+ "type": "keyword"
1812
+ },
1813
+ "parent": {
1814
+ "properties": {
1815
+ "args": {
1816
+ "ignore_above": 1024,
1817
+ "type": "keyword"
1818
+ },
1819
+ "args_count": {
1820
+ "type": "long"
1821
+ },
1822
+ "code_signature": {
1823
+ "properties": {
1824
+ "exists": {
1825
+ "type": "boolean"
1826
+ },
1827
+ "status": {
1828
+ "ignore_above": 1024,
1829
+ "type": "keyword"
1830
+ },
1831
+ "subject_name": {
1832
+ "ignore_above": 1024,
1833
+ "type": "keyword"
1834
+ },
1835
+ "trusted": {
1836
+ "type": "boolean"
1837
+ },
1838
+ "valid": {
1839
+ "type": "boolean"
1840
+ }
1841
+ }
1842
+ },
1843
+ "command_line": {
1844
+ "fields": {
1845
+ "text": {
1846
+ "norms": false,
1847
+ "type": "text"
1848
+ }
1849
+ },
1850
+ "ignore_above": 1024,
1851
+ "type": "keyword"
1852
+ },
1853
+ "entity_id": {
1854
+ "ignore_above": 1024,
1855
+ "type": "keyword"
1856
+ },
1857
+ "executable": {
1858
+ "fields": {
1859
+ "text": {
1860
+ "norms": false,
1861
+ "type": "text"
1862
+ }
1863
+ },
1864
+ "ignore_above": 1024,
1865
+ "type": "keyword"
1866
+ },
1867
+ "exit_code": {
1868
+ "type": "long"
1869
+ },
1870
+ "hash": {
1871
+ "properties": {
1872
+ "md5": {
1873
+ "ignore_above": 1024,
1874
+ "type": "keyword"
1875
+ },
1876
+ "sha1": {
1877
+ "ignore_above": 1024,
1878
+ "type": "keyword"
1879
+ },
1880
+ "sha256": {
1881
+ "ignore_above": 1024,
1882
+ "type": "keyword"
1883
+ },
1884
+ "sha512": {
1885
+ "ignore_above": 1024,
1886
+ "type": "keyword"
1887
+ }
1888
+ }
1889
+ },
1890
+ "name": {
1891
+ "fields": {
1892
+ "text": {
1893
+ "norms": false,
1894
+ "type": "text"
1895
+ }
1896
+ },
1897
+ "ignore_above": 1024,
1898
+ "type": "keyword"
1899
+ },
1900
+ "pgid": {
1901
+ "type": "long"
1902
+ },
1903
+ "pid": {
1904
+ "type": "long"
1905
+ },
1906
+ "ppid": {
1907
+ "type": "long"
1908
+ },
1909
+ "start": {
1910
+ "type": "date"
1911
+ },
1912
+ "thread": {
1913
+ "properties": {
1914
+ "id": {
1915
+ "type": "long"
1916
+ },
1917
+ "name": {
1918
+ "ignore_above": 1024,
1919
+ "type": "keyword"
1920
+ }
1921
+ }
1922
+ },
1923
+ "title": {
1924
+ "fields": {
1925
+ "text": {
1926
+ "norms": false,
1927
+ "type": "text"
1928
+ }
1929
+ },
1930
+ "ignore_above": 1024,
1931
+ "type": "keyword"
1932
+ },
1933
+ "uptime": {
1934
+ "type": "long"
1935
+ },
1936
+ "working_directory": {
1937
+ "fields": {
1938
+ "text": {
1939
+ "norms": false,
1940
+ "type": "text"
1941
+ }
1942
+ },
1943
+ "ignore_above": 1024,
1944
+ "type": "keyword"
1945
+ }
1946
+ }
1947
+ },
1948
+ "pe": {
1949
+ "properties": {
1950
+ "company": {
1951
+ "ignore_above": 1024,
1952
+ "type": "keyword"
1953
+ },
1954
+ "description": {
1955
+ "ignore_above": 1024,
1956
+ "type": "keyword"
1957
+ },
1958
+ "file_version": {
1959
+ "ignore_above": 1024,
1960
+ "type": "keyword"
1961
+ },
1962
+ "original_file_name": {
1963
+ "ignore_above": 1024,
1964
+ "type": "keyword"
1965
+ },
1966
+ "product": {
1967
+ "ignore_above": 1024,
1968
+ "type": "keyword"
1969
+ }
1970
+ }
1971
+ },
1972
+ "pgid": {
1973
+ "type": "long"
1974
+ },
1975
+ "pid": {
1976
+ "type": "long"
1977
+ },
1978
+ "ppid": {
1979
+ "type": "long"
1980
+ },
1981
+ "start": {
1982
+ "type": "date"
1983
+ },
1984
+ "thread": {
1985
+ "properties": {
1986
+ "id": {
1987
+ "type": "long"
1988
+ },
1989
+ "name": {
1990
+ "ignore_above": 1024,
1991
+ "type": "keyword"
1992
+ }
1993
+ }
1994
+ },
1995
+ "title": {
1996
+ "fields": {
1997
+ "text": {
1998
+ "norms": false,
1999
+ "type": "text"
2000
+ }
2001
+ },
2002
+ "ignore_above": 1024,
2003
+ "type": "keyword"
2004
+ },
2005
+ "uptime": {
2006
+ "type": "long"
2007
+ },
2008
+ "working_directory": {
2009
+ "fields": {
2010
+ "text": {
2011
+ "norms": false,
2012
+ "type": "text"
2013
+ }
2014
+ },
2015
+ "ignore_above": 1024,
2016
+ "type": "keyword"
2017
+ }
2018
+ }
2019
+ },
2020
+ "registry": {
2021
+ "properties": {
2022
+ "data": {
2023
+ "properties": {
2024
+ "bytes": {
2025
+ "ignore_above": 1024,
2026
+ "type": "keyword"
2027
+ },
2028
+ "strings": {
2029
+ "ignore_above": 1024,
2030
+ "type": "keyword"
2031
+ },
2032
+ "type": {
2033
+ "ignore_above": 1024,
2034
+ "type": "keyword"
2035
+ }
2036
+ }
2037
+ },
2038
+ "hive": {
2039
+ "ignore_above": 1024,
2040
+ "type": "keyword"
2041
+ },
2042
+ "key": {
2043
+ "ignore_above": 1024,
2044
+ "type": "keyword"
2045
+ },
2046
+ "path": {
2047
+ "ignore_above": 1024,
2048
+ "type": "keyword"
2049
+ },
2050
+ "value": {
2051
+ "ignore_above": 1024,
2052
+ "type": "keyword"
2053
+ }
2054
+ }
2055
+ },
2056
+ "related": {
2057
+ "properties": {
2058
+ "hash": {
2059
+ "ignore_above": 1024,
2060
+ "type": "keyword"
2061
+ },
2062
+ "ip": {
2063
+ "type": "ip"
2064
+ },
2065
+ "user": {
2066
+ "ignore_above": 1024,
2067
+ "type": "keyword"
2068
+ }
2069
+ }
2070
+ },
2071
+ "rule": {
2072
+ "properties": {
2073
+ "author": {
2074
+ "ignore_above": 1024,
2075
+ "type": "keyword"
2076
+ },
2077
+ "category": {
2078
+ "ignore_above": 1024,
2079
+ "type": "keyword"
2080
+ },
2081
+ "description": {
2082
+ "ignore_above": 1024,
2083
+ "type": "keyword"
2084
+ },
2085
+ "id": {
2086
+ "ignore_above": 1024,
2087
+ "type": "keyword"
2088
+ },
2089
+ "license": {
2090
+ "ignore_above": 1024,
2091
+ "type": "keyword"
2092
+ },
2093
+ "name": {
2094
+ "ignore_above": 1024,
2095
+ "type": "keyword"
2096
+ },
2097
+ "reference": {
2098
+ "ignore_above": 1024,
2099
+ "type": "keyword"
2100
+ },
2101
+ "ruleset": {
2102
+ "ignore_above": 1024,
2103
+ "type": "keyword"
2104
+ },
2105
+ "uuid": {
2106
+ "ignore_above": 1024,
2107
+ "type": "keyword"
2108
+ },
2109
+ "version": {
2110
+ "ignore_above": 1024,
2111
+ "type": "keyword"
2112
+ }
2113
+ }
2114
+ },
2115
+ "server": {
2116
+ "properties": {
2117
+ "address": {
2118
+ "ignore_above": 1024,
2119
+ "type": "keyword"
2120
+ },
2121
+ "as": {
2122
+ "properties": {
2123
+ "number": {
2124
+ "type": "long"
2125
+ },
2126
+ "organization": {
2127
+ "properties": {
2128
+ "name": {
2129
+ "fields": {
2130
+ "text": {
2131
+ "norms": false,
2132
+ "type": "text"
2133
+ }
2134
+ },
2135
+ "ignore_above": 1024,
2136
+ "type": "keyword"
2137
+ }
2138
+ }
2139
+ }
2140
+ }
2141
+ },
2142
+ "bytes": {
2143
+ "type": "long"
2144
+ },
2145
+ "domain": {
2146
+ "ignore_above": 1024,
2147
+ "type": "keyword"
2148
+ },
2149
+ "geo": {
2150
+ "properties": {
2151
+ "city_name": {
2152
+ "ignore_above": 1024,
2153
+ "type": "keyword"
2154
+ },
2155
+ "continent_name": {
2156
+ "ignore_above": 1024,
2157
+ "type": "keyword"
2158
+ },
2159
+ "country_iso_code": {
2160
+ "ignore_above": 1024,
2161
+ "type": "keyword"
2162
+ },
2163
+ "country_name": {
2164
+ "ignore_above": 1024,
2165
+ "type": "keyword"
2166
+ },
2167
+ "location": {
2168
+ "type": "geo_point"
2169
+ },
2170
+ "name": {
2171
+ "ignore_above": 1024,
2172
+ "type": "keyword"
2173
+ },
2174
+ "region_iso_code": {
2175
+ "ignore_above": 1024,
2176
+ "type": "keyword"
2177
+ },
2178
+ "region_name": {
2179
+ "ignore_above": 1024,
2180
+ "type": "keyword"
2181
+ }
2182
+ }
2183
+ },
2184
+ "ip": {
2185
+ "type": "ip"
2186
+ },
2187
+ "mac": {
2188
+ "ignore_above": 1024,
2189
+ "type": "keyword"
2190
+ },
2191
+ "nat": {
2192
+ "properties": {
2193
+ "ip": {
2194
+ "type": "ip"
2195
+ },
2196
+ "port": {
2197
+ "type": "long"
2198
+ }
2199
+ }
2200
+ },
2201
+ "packets": {
2202
+ "type": "long"
2203
+ },
2204
+ "port": {
2205
+ "type": "long"
2206
+ },
2207
+ "registered_domain": {
2208
+ "ignore_above": 1024,
2209
+ "type": "keyword"
2210
+ },
2211
+ "top_level_domain": {
2212
+ "ignore_above": 1024,
2213
+ "type": "keyword"
2214
+ },
2215
+ "user": {
2216
+ "properties": {
2217
+ "domain": {
2218
+ "ignore_above": 1024,
2219
+ "type": "keyword"
2220
+ },
2221
+ "email": {
2222
+ "ignore_above": 1024,
2223
+ "type": "keyword"
2224
+ },
2225
+ "full_name": {
2226
+ "fields": {
2227
+ "text": {
2228
+ "norms": false,
2229
+ "type": "text"
2230
+ }
2231
+ },
2232
+ "ignore_above": 1024,
2233
+ "type": "keyword"
2234
+ },
2235
+ "group": {
2236
+ "properties": {
2237
+ "domain": {
2238
+ "ignore_above": 1024,
2239
+ "type": "keyword"
2240
+ },
2241
+ "id": {
2242
+ "ignore_above": 1024,
2243
+ "type": "keyword"
2244
+ },
2245
+ "name": {
2246
+ "ignore_above": 1024,
2247
+ "type": "keyword"
2248
+ }
2249
+ }
2250
+ },
2251
+ "hash": {
2252
+ "ignore_above": 1024,
2253
+ "type": "keyword"
2254
+ },
2255
+ "id": {
2256
+ "ignore_above": 1024,
2257
+ "type": "keyword"
2258
+ },
2259
+ "name": {
2260
+ "fields": {
2261
+ "text": {
2262
+ "norms": false,
2263
+ "type": "text"
2264
+ }
2265
+ },
2266
+ "ignore_above": 1024,
2267
+ "type": "keyword"
2268
+ }
2269
+ }
2270
+ }
2271
+ }
2272
+ },
2273
+ "service": {
2274
+ "properties": {
2275
+ "ephemeral_id": {
2276
+ "ignore_above": 1024,
2277
+ "type": "keyword"
2278
+ },
2279
+ "id": {
2280
+ "ignore_above": 1024,
2281
+ "type": "keyword"
2282
+ },
2283
+ "name": {
2284
+ "ignore_above": 1024,
2285
+ "type": "keyword"
2286
+ },
2287
+ "node": {
2288
+ "properties": {
2289
+ "name": {
2290
+ "ignore_above": 1024,
2291
+ "type": "keyword"
2292
+ }
2293
+ }
2294
+ },
2295
+ "state": {
2296
+ "ignore_above": 1024,
2297
+ "type": "keyword"
2298
+ },
2299
+ "type": {
2300
+ "ignore_above": 1024,
2301
+ "type": "keyword"
2302
+ },
2303
+ "version": {
2304
+ "ignore_above": 1024,
2305
+ "type": "keyword"
2306
+ }
2307
+ }
2308
+ },
2309
+ "source": {
2310
+ "properties": {
2311
+ "address": {
2312
+ "ignore_above": 1024,
2313
+ "type": "keyword"
2314
+ },
2315
+ "as": {
2316
+ "properties": {
2317
+ "number": {
2318
+ "type": "long"
2319
+ },
2320
+ "organization": {
2321
+ "properties": {
2322
+ "name": {
2323
+ "fields": {
2324
+ "text": {
2325
+ "norms": false,
2326
+ "type": "text"
2327
+ }
2328
+ },
2329
+ "ignore_above": 1024,
2330
+ "type": "keyword"
2331
+ }
2332
+ }
2333
+ }
2334
+ }
2335
+ },
2336
+ "bytes": {
2337
+ "type": "long"
2338
+ },
2339
+ "domain": {
2340
+ "ignore_above": 1024,
2341
+ "type": "keyword"
2342
+ },
2343
+ "geo": {
2344
+ "properties": {
2345
+ "city_name": {
2346
+ "ignore_above": 1024,
2347
+ "type": "keyword"
2348
+ },
2349
+ "continent_name": {
2350
+ "ignore_above": 1024,
2351
+ "type": "keyword"
2352
+ },
2353
+ "country_iso_code": {
2354
+ "ignore_above": 1024,
2355
+ "type": "keyword"
2356
+ },
2357
+ "country_name": {
2358
+ "ignore_above": 1024,
2359
+ "type": "keyword"
2360
+ },
2361
+ "location": {
2362
+ "type": "geo_point"
2363
+ },
2364
+ "name": {
2365
+ "ignore_above": 1024,
2366
+ "type": "keyword"
2367
+ },
2368
+ "region_iso_code": {
2369
+ "ignore_above": 1024,
2370
+ "type": "keyword"
2371
+ },
2372
+ "region_name": {
2373
+ "ignore_above": 1024,
2374
+ "type": "keyword"
2375
+ }
2376
+ }
2377
+ },
2378
+ "ip": {
2379
+ "type": "ip"
2380
+ },
2381
+ "mac": {
2382
+ "ignore_above": 1024,
2383
+ "type": "keyword"
2384
+ },
2385
+ "nat": {
2386
+ "properties": {
2387
+ "ip": {
2388
+ "type": "ip"
2389
+ },
2390
+ "port": {
2391
+ "type": "long"
2392
+ }
2393
+ }
2394
+ },
2395
+ "packets": {
2396
+ "type": "long"
2397
+ },
2398
+ "port": {
2399
+ "type": "long"
2400
+ },
2401
+ "registered_domain": {
2402
+ "ignore_above": 1024,
2403
+ "type": "keyword"
2404
+ },
2405
+ "top_level_domain": {
2406
+ "ignore_above": 1024,
2407
+ "type": "keyword"
2408
+ },
2409
+ "user": {
2410
+ "properties": {
2411
+ "domain": {
2412
+ "ignore_above": 1024,
2413
+ "type": "keyword"
2414
+ },
2415
+ "email": {
2416
+ "ignore_above": 1024,
2417
+ "type": "keyword"
2418
+ },
2419
+ "full_name": {
2420
+ "fields": {
2421
+ "text": {
2422
+ "norms": false,
2423
+ "type": "text"
2424
+ }
2425
+ },
2426
+ "ignore_above": 1024,
2427
+ "type": "keyword"
2428
+ },
2429
+ "group": {
2430
+ "properties": {
2431
+ "domain": {
2432
+ "ignore_above": 1024,
2433
+ "type": "keyword"
2434
+ },
2435
+ "id": {
2436
+ "ignore_above": 1024,
2437
+ "type": "keyword"
2438
+ },
2439
+ "name": {
2440
+ "ignore_above": 1024,
2441
+ "type": "keyword"
2442
+ }
2443
+ }
2444
+ },
2445
+ "hash": {
2446
+ "ignore_above": 1024,
2447
+ "type": "keyword"
2448
+ },
2449
+ "id": {
2450
+ "ignore_above": 1024,
2451
+ "type": "keyword"
2452
+ },
2453
+ "name": {
2454
+ "fields": {
2455
+ "text": {
2456
+ "norms": false,
2457
+ "type": "text"
2458
+ }
2459
+ },
2460
+ "ignore_above": 1024,
2461
+ "type": "keyword"
2462
+ }
2463
+ }
2464
+ }
2465
+ }
2466
+ },
2467
+ "tags": {
2468
+ "ignore_above": 1024,
2469
+ "type": "keyword"
2470
+ },
2471
+ "threat": {
2472
+ "properties": {
2473
+ "framework": {
2474
+ "ignore_above": 1024,
2475
+ "type": "keyword"
2476
+ },
2477
+ "tactic": {
2478
+ "properties": {
2479
+ "id": {
2480
+ "ignore_above": 1024,
2481
+ "type": "keyword"
2482
+ },
2483
+ "name": {
2484
+ "ignore_above": 1024,
2485
+ "type": "keyword"
2486
+ },
2487
+ "reference": {
2488
+ "ignore_above": 1024,
2489
+ "type": "keyword"
2490
+ }
2491
+ }
2492
+ },
2493
+ "technique": {
2494
+ "properties": {
2495
+ "id": {
2496
+ "ignore_above": 1024,
2497
+ "type": "keyword"
2498
+ },
2499
+ "name": {
2500
+ "fields": {
2501
+ "text": {
2502
+ "norms": false,
2503
+ "type": "text"
2504
+ }
2505
+ },
2506
+ "ignore_above": 1024,
2507
+ "type": "keyword"
2508
+ },
2509
+ "reference": {
2510
+ "ignore_above": 1024,
2511
+ "type": "keyword"
2512
+ }
2513
+ }
2514
+ }
2515
+ }
2516
+ },
2517
+ "tls": {
2518
+ "properties": {
2519
+ "cipher": {
2520
+ "ignore_above": 1024,
2521
+ "type": "keyword"
2522
+ },
2523
+ "client": {
2524
+ "properties": {
2525
+ "certificate": {
2526
+ "ignore_above": 1024,
2527
+ "type": "keyword"
2528
+ },
2529
+ "certificate_chain": {
2530
+ "ignore_above": 1024,
2531
+ "type": "keyword"
2532
+ },
2533
+ "hash": {
2534
+ "properties": {
2535
+ "md5": {
2536
+ "ignore_above": 1024,
2537
+ "type": "keyword"
2538
+ },
2539
+ "sha1": {
2540
+ "ignore_above": 1024,
2541
+ "type": "keyword"
2542
+ },
2543
+ "sha256": {
2544
+ "ignore_above": 1024,
2545
+ "type": "keyword"
2546
+ }
2547
+ }
2548
+ },
2549
+ "issuer": {
2550
+ "ignore_above": 1024,
2551
+ "type": "keyword"
2552
+ },
2553
+ "ja3": {
2554
+ "ignore_above": 1024,
2555
+ "type": "keyword"
2556
+ },
2557
+ "not_after": {
2558
+ "type": "date"
2559
+ },
2560
+ "not_before": {
2561
+ "type": "date"
2562
+ },
2563
+ "server_name": {
2564
+ "ignore_above": 1024,
2565
+ "type": "keyword"
2566
+ },
2567
+ "subject": {
2568
+ "ignore_above": 1024,
2569
+ "type": "keyword"
2570
+ },
2571
+ "supported_ciphers": {
2572
+ "ignore_above": 1024,
2573
+ "type": "keyword"
2574
+ }
2575
+ }
2576
+ },
2577
+ "curve": {
2578
+ "ignore_above": 1024,
2579
+ "type": "keyword"
2580
+ },
2581
+ "established": {
2582
+ "type": "boolean"
2583
+ },
2584
+ "next_protocol": {
2585
+ "ignore_above": 1024,
2586
+ "type": "keyword"
2587
+ },
2588
+ "resumed": {
2589
+ "type": "boolean"
2590
+ },
2591
+ "server": {
2592
+ "properties": {
2593
+ "certificate": {
2594
+ "ignore_above": 1024,
2595
+ "type": "keyword"
2596
+ },
2597
+ "certificate_chain": {
2598
+ "ignore_above": 1024,
2599
+ "type": "keyword"
2600
+ },
2601
+ "hash": {
2602
+ "properties": {
2603
+ "md5": {
2604
+ "ignore_above": 1024,
2605
+ "type": "keyword"
2606
+ },
2607
+ "sha1": {
2608
+ "ignore_above": 1024,
2609
+ "type": "keyword"
2610
+ },
2611
+ "sha256": {
2612
+ "ignore_above": 1024,
2613
+ "type": "keyword"
2614
+ }
2615
+ }
2616
+ },
2617
+ "issuer": {
2618
+ "ignore_above": 1024,
2619
+ "type": "keyword"
2620
+ },
2621
+ "ja3s": {
2622
+ "ignore_above": 1024,
2623
+ "type": "keyword"
2624
+ },
2625
+ "not_after": {
2626
+ "type": "date"
2627
+ },
2628
+ "not_before": {
2629
+ "type": "date"
2630
+ },
2631
+ "subject": {
2632
+ "ignore_above": 1024,
2633
+ "type": "keyword"
2634
+ }
2635
+ }
2636
+ },
2637
+ "version": {
2638
+ "ignore_above": 1024,
2639
+ "type": "keyword"
2640
+ },
2641
+ "version_protocol": {
2642
+ "ignore_above": 1024,
2643
+ "type": "keyword"
2644
+ }
2645
+ }
2646
+ },
2647
+ "trace": {
2648
+ "properties": {
2649
+ "id": {
2650
+ "ignore_above": 1024,
2651
+ "type": "keyword"
2652
+ }
2653
+ }
2654
+ },
2655
+ "transaction": {
2656
+ "properties": {
2657
+ "id": {
2658
+ "ignore_above": 1024,
2659
+ "type": "keyword"
2660
+ }
2661
+ }
2662
+ },
2663
+ "url": {
2664
+ "properties": {
2665
+ "domain": {
2666
+ "ignore_above": 1024,
2667
+ "type": "keyword"
2668
+ },
2669
+ "extension": {
2670
+ "ignore_above": 1024,
2671
+ "type": "keyword"
2672
+ },
2673
+ "fragment": {
2674
+ "ignore_above": 1024,
2675
+ "type": "keyword"
2676
+ },
2677
+ "full": {
2678
+ "fields": {
2679
+ "text": {
2680
+ "norms": false,
2681
+ "type": "text"
2682
+ }
2683
+ },
2684
+ "ignore_above": 1024,
2685
+ "type": "keyword"
2686
+ },
2687
+ "original": {
2688
+ "fields": {
2689
+ "text": {
2690
+ "norms": false,
2691
+ "type": "text"
2692
+ }
2693
+ },
2694
+ "ignore_above": 1024,
2695
+ "type": "keyword"
2696
+ },
2697
+ "password": {
2698
+ "ignore_above": 1024,
2699
+ "type": "keyword"
2700
+ },
2701
+ "path": {
2702
+ "ignore_above": 1024,
2703
+ "type": "keyword"
2704
+ },
2705
+ "port": {
2706
+ "type": "long"
2707
+ },
2708
+ "query": {
2709
+ "ignore_above": 1024,
2710
+ "type": "keyword"
2711
+ },
2712
+ "registered_domain": {
2713
+ "ignore_above": 1024,
2714
+ "type": "keyword"
2715
+ },
2716
+ "scheme": {
2717
+ "ignore_above": 1024,
2718
+ "type": "keyword"
2719
+ },
2720
+ "top_level_domain": {
2721
+ "ignore_above": 1024,
2722
+ "type": "keyword"
2723
+ },
2724
+ "username": {
2725
+ "ignore_above": 1024,
2726
+ "type": "keyword"
2727
+ }
2728
+ }
2729
+ },
2730
+ "user": {
2731
+ "properties": {
2732
+ "domain": {
2733
+ "ignore_above": 1024,
2734
+ "type": "keyword"
2735
+ },
2736
+ "email": {
2737
+ "ignore_above": 1024,
2738
+ "type": "keyword"
2739
+ },
2740
+ "full_name": {
2741
+ "fields": {
2742
+ "text": {
2743
+ "norms": false,
2744
+ "type": "text"
2745
+ }
2746
+ },
2747
+ "ignore_above": 1024,
2748
+ "type": "keyword"
2749
+ },
2750
+ "group": {
2751
+ "properties": {
2752
+ "domain": {
2753
+ "ignore_above": 1024,
2754
+ "type": "keyword"
2755
+ },
2756
+ "id": {
2757
+ "ignore_above": 1024,
2758
+ "type": "keyword"
2759
+ },
2760
+ "name": {
2761
+ "ignore_above": 1024,
2762
+ "type": "keyword"
2763
+ }
2764
+ }
2765
+ },
2766
+ "hash": {
2767
+ "ignore_above": 1024,
2768
+ "type": "keyword"
2769
+ },
2770
+ "id": {
2771
+ "ignore_above": 1024,
2772
+ "type": "keyword"
2773
+ },
2774
+ "name": {
2775
+ "fields": {
2776
+ "text": {
2777
+ "norms": false,
2778
+ "type": "text"
2779
+ }
2780
+ },
2781
+ "ignore_above": 1024,
2782
+ "type": "keyword"
2783
+ }
2784
+ }
2785
+ },
2786
+ "user_agent": {
2787
+ "properties": {
2788
+ "device": {
2789
+ "properties": {
2790
+ "name": {
2791
+ "ignore_above": 1024,
2792
+ "type": "keyword"
2793
+ }
2794
+ }
2795
+ },
2796
+ "name": {
2797
+ "ignore_above": 1024,
2798
+ "type": "keyword"
2799
+ },
2800
+ "original": {
2801
+ "fields": {
2802
+ "text": {
2803
+ "norms": false,
2804
+ "type": "text"
2805
+ }
2806
+ },
2807
+ "ignore_above": 1024,
2808
+ "type": "keyword"
2809
+ },
2810
+ "os": {
2811
+ "properties": {
2812
+ "family": {
2813
+ "ignore_above": 1024,
2814
+ "type": "keyword"
2815
+ },
2816
+ "full": {
2817
+ "fields": {
2818
+ "text": {
2819
+ "norms": false,
2820
+ "type": "text"
2821
+ }
2822
+ },
2823
+ "ignore_above": 1024,
2824
+ "type": "keyword"
2825
+ },
2826
+ "kernel": {
2827
+ "ignore_above": 1024,
2828
+ "type": "keyword"
2829
+ },
2830
+ "name": {
2831
+ "fields": {
2832
+ "text": {
2833
+ "norms": false,
2834
+ "type": "text"
2835
+ }
2836
+ },
2837
+ "ignore_above": 1024,
2838
+ "type": "keyword"
2839
+ },
2840
+ "platform": {
2841
+ "ignore_above": 1024,
2842
+ "type": "keyword"
2843
+ },
2844
+ "version": {
2845
+ "ignore_above": 1024,
2846
+ "type": "keyword"
2847
+ }
2848
+ }
2849
+ },
2850
+ "version": {
2851
+ "ignore_above": 1024,
2852
+ "type": "keyword"
2853
+ }
2854
+ }
2855
+ },
2856
+ "vlan": {
2857
+ "properties": {
2858
+ "id": {
2859
+ "ignore_above": 1024,
2860
+ "type": "keyword"
2861
+ },
2862
+ "name": {
2863
+ "ignore_above": 1024,
2864
+ "type": "keyword"
2865
+ }
2866
+ }
2867
+ },
2868
+ "vulnerability": {
2869
+ "properties": {
2870
+ "category": {
2871
+ "ignore_above": 1024,
2872
+ "type": "keyword"
2873
+ },
2874
+ "classification": {
2875
+ "ignore_above": 1024,
2876
+ "type": "keyword"
2877
+ },
2878
+ "description": {
2879
+ "fields": {
2880
+ "text": {
2881
+ "norms": false,
2882
+ "type": "text"
2883
+ }
2884
+ },
2885
+ "ignore_above": 1024,
2886
+ "type": "keyword"
2887
+ },
2888
+ "enumeration": {
2889
+ "ignore_above": 1024,
2890
+ "type": "keyword"
2891
+ },
2892
+ "id": {
2893
+ "ignore_above": 1024,
2894
+ "type": "keyword"
2895
+ },
2896
+ "reference": {
2897
+ "ignore_above": 1024,
2898
+ "type": "keyword"
2899
+ },
2900
+ "report_id": {
2901
+ "ignore_above": 1024,
2902
+ "type": "keyword"
2903
+ },
2904
+ "scanner": {
2905
+ "properties": {
2906
+ "vendor": {
2907
+ "ignore_above": 1024,
2908
+ "type": "keyword"
2909
+ }
2910
+ }
2911
+ },
2912
+ "score": {
2913
+ "properties": {
2914
+ "base": {
2915
+ "type": "float"
2916
+ },
2917
+ "environmental": {
2918
+ "type": "float"
2919
+ },
2920
+ "temporal": {
2921
+ "type": "float"
2922
+ },
2923
+ "version": {
2924
+ "ignore_above": 1024,
2925
+ "type": "keyword"
2926
+ }
2927
+ }
2928
+ },
2929
+ "severity": {
2930
+ "ignore_above": 1024,
2931
+ "type": "keyword"
2932
+ }
2933
+ }
2934
+ }
2935
+ }
2936
+ },
2937
+ "order": 1,
2938
+ "settings": {
2939
+ "index": {
2940
+ "mapping": {
2941
+ "total_fields": {
2942
+ "limit": 10000
2943
+ }
2944
+ },
2945
+ "refresh_interval": "5s"
2946
+ }
2947
+ }
2948
+ }