IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
Index template script
edit
A newer version is available. Check out the latest documentation.
Index template script
editThis code creates a new index template for temporarily storing existing detection alerts when you update the index mappings for detection alert indices. You need to update the index mappings to visualize process relationships after upgrading to Elastic Stack release 7.9.0 or 7.9.1 from a previous minor release (7.8.x, 7.7.x, and so on).
In Elastic Stack version 8.0.0, the system index for detection alerts was renamed from .siem-signals-<Kibana space> to .alerts-security.alerts-<Kibana space>.
Click here to scroll to the bottom of the page and use the built-in functions to paste the code into the Kibana dev console. You can click on the settings icon to update Kibana’s URL.
PUT _template/temp-signals
{
"order": 0,
"index_patterns": ["temp-signals"],
"settings": {
"index": {
"mapping": {
"total_fields": {
"limit": "10000"
}
}
}
},
"mappings": {
"dynamic": false,
"properties": {
"container": {
"properties": {
"image": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"tag": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"runtime": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"labels": {
"type": "object"
}
}
},
"server": {
"properties": {
"nat": {
"properties": {
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"full_name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"agent": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"log": {
"properties": {
"original": {
"ignore_above": 1024,
"index": false,
"type": "keyword",
"doc_values": false
},
"level": {
"ignore_above": 1024,
"type": "keyword"
},
"logger": {
"ignore_above": 1024,
"type": "keyword"
},
"origin": {
"properties": {
"file": {
"properties": {
"line": {
"type": "integer"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"function": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"syslog": {
"type": "object",
"properties": {
"severity": {
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"priority": {
"type": "long"
},
"facility": {
"properties": {
"code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"destination": {
"properties": {
"nat": {
"properties": {
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"full_name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"rule": {
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"ruleset": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"uuid": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"source": {
"properties": {
"nat": {
"properties": {
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"full_name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"error": {
"properties": {
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"stack_trace": {
"ignore_above": 1024,
"index": false,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword",
"doc_values": false
},
"message": {
"norms": false,
"type": "text"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"network": {
"properties": {
"community_id": {
"ignore_above": 1024,
"type": "keyword"
},
"forwarded_ip": {
"type": "ip"
},
"protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"application": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"transport": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"iana_number": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"direction": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"cloud": {
"properties": {
"availability_zone": {
"ignore_above": 1024,
"type": "keyword"
},
"instance": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"machine": {
"properties": {
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"region": {
"ignore_above": 1024,
"type": "keyword"
},
"account": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"observer": {
"properties": {
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"product": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
},
"vendor": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"serial_number": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"trace": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"file": {
"properties": {
"owner": {
"ignore_above": 1024,
"type": "keyword"
},
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"gid": {
"ignore_above": 1024,
"type": "keyword"
},
"drive_letter": {
"ignore_above": 1,
"type": "keyword"
},
"created": {
"type": "date"
},
"accessed": {
"type": "date"
},
"mtime": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"directory": {
"ignore_above": 1024,
"type": "keyword"
},
"target_path": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"inode": {
"ignore_above": 1024,
"type": "keyword"
},
"mode": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"uid": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"ctime": {
"type": "date"
},
"attributes": {
"ignore_above": 1024,
"type": "keyword"
},
"device": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"ecs": {
"properties": {
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"related": {
"properties": {
"ip": {
"type": "ip"
},
"user": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"host": {
"properties": {
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"hostname": {
"ignore_above": 1024,
"type": "keyword"
},
"os": {
"properties": {
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"full_name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
},
"uptime": {
"type": "long"
}
}
},
"client": {
"properties": {
"nat": {
"properties": {
"port": {
"type": "long"
},
"ip": {
"type": "ip"
}
}
},
"address": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"ip": {
"type": "ip"
},
"mac": {
"ignore_above": 1024,
"type": "keyword"
},
"packets": {
"type": "long"
},
"geo": {
"properties": {
"continent_name": {
"ignore_above": 1024,
"type": "keyword"
},
"region_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"city_name": {
"ignore_above": 1024,
"type": "keyword"
},
"country_iso_code": {
"ignore_above": 1024,
"type": "keyword"
},
"country_name": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"location": {
"type": "geo_point"
},
"region_name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"bytes": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"user": {
"properties": {
"full_name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
}
}
},
"event": {
"properties": {
"severity": {
"type": "long"
},
"code": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"index": false,
"type": "keyword",
"doc_values": false
},
"risk_score": {
"type": "float"
},
"created": {
"type": "date"
},
"kind": {
"ignore_above": 1024,
"type": "keyword"
},
"timezone": {
"ignore_above": 1024,
"type": "keyword"
},
"module": {
"ignore_above": 1024,
"type": "keyword"
},
"start": {
"type": "date"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"duration": {
"type": "long"
},
"sequence": {
"type": "long"
},
"ingested": {
"type": "date"
},
"provider": {
"ignore_above": 1024,
"type": "keyword"
},
"risk_score_norm": {
"type": "float"
},
"action": {
"ignore_above": 1024,
"type": "keyword"
},
"end": {
"type": "date"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"dataset": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"outcome": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"signal": {
"properties": {
"parent": {
"properties": {
"depth": {
"type": "long"
},
"rule": {
"type": "keyword"
},
"index": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"rule": {
"properties": {
"references": {
"type": "keyword"
},
"description": {
"type": "keyword"
},
"created_at": {
"type": "date"
},
"language": {
"type": "keyword"
},
"type": {
"type": "keyword"
},
"enabled": {
"type": "keyword"
},
"updated_at": {
"type": "date"
},
"from": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"timeline_id": {
"type": "keyword"
},
"max_signals": {
"type": "keyword"
},
"severity": {
"type": "keyword"
},
"risk_score": {
"type": "keyword"
},
"query": {
"type": "keyword"
},
"index": {
"type": "keyword"
},
"filters": {
"type": "object"
},
"created_by": {
"type": "keyword"
},
"version": {
"type": "keyword"
},
"saved_id": {
"type": "keyword"
},
"tags": {
"type": "keyword"
},
"rule_id": {
"type": "keyword"
},
"immutable": {
"type": "keyword"
},
"size": {
"type": "keyword"
},
"timeline_title": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"updated_by": {
"type": "keyword"
},
"interval": {
"type": "keyword"
},
"false_positives": {
"type": "keyword"
},
"threat": {
"properties": {
"framework": {
"type": "keyword"
},
"technique": {
"properties": {
"reference": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
},
"tactic": {
"properties": {
"reference": {
"type": "keyword"
},
"name": {
"type": "keyword"
},
"id": {
"type": "keyword"
}
}
}
}
},
"to": {
"type": "keyword"
}
}
},
"original_time": {
"type": "date"
},
"ancestors": {
"properties": {
"depth": {
"type": "long"
},
"rule": {
"type": "keyword"
},
"id": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
"original_event": {
"properties": {
"severity": {
"type": "long"
},
"code": {
"type": "keyword"
},
"original": {
"index": false,
"type": "keyword",
"doc_values": false
},
"risk_score": {
"type": "float"
},
"created": {
"type": "date"
},
"kind": {
"type": "keyword"
},
"timezone": {
"type": "keyword"
},
"module": {
"type": "keyword"
},
"start": {
"type": "date"
},
"type": {
"type": "keyword"
},
"duration": {
"type": "long"
},
"sequence": {
"type": "long"
},
"provider": {
"type": "keyword"
},
"risk_score_norm": {
"type": "float"
},
"action": {
"type": "keyword"
},
"end": {
"type": "date"
},
"id": {
"type": "keyword"
},
"category": {
"type": "keyword"
},
"dataset": {
"type": "keyword"
},
"hash": {
"type": "keyword"
},
"outcome": {
"type": "keyword"
}
}
},
"status": {
"type": "keyword"
}
}
},
"user_agent": {
"properties": {
"original": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"os": {
"properties": {
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"device": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"registry": {
"properties": {
"hive": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"data": {
"properties": {
"strings": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"value": {
"ignore_above": 1024,
"type": "keyword"
},
"key": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"process": {
"properties": {
"parent": {
"properties": {
"pgid": {
"type": "long"
},
"start": {
"type": "date"
},
"pid": {
"type": "long"
},
"working_directory": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"thread": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"type": "long"
}
}
},
"title": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"executable": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"ppid": {
"type": "long"
},
"uptime": {
"type": "long"
},
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"args_count": {
"type": "long"
},
"command_line": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
},
"pgid": {
"type": "long"
},
"start": {
"type": "date"
},
"pid": {
"type": "long"
},
"working_directory": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"thread": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"type": "long"
}
}
},
"title": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"executable": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"ppid": {
"type": "long"
},
"uptime": {
"type": "long"
},
"args": {
"ignore_above": 1024,
"type": "keyword"
},
"exit_code": {
"type": "long"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"args_count": {
"type": "long"
},
"command_line": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"package": {
"properties": {
"installed": {
"type": "date"
},
"build_version": {
"ignore_above": 1024,
"type": "keyword"
},
"description": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"license": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"install_scope": {
"ignore_above": 1024,
"type": "keyword"
},
"size": {
"type": "long"
},
"checksum": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"architecture": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"os": {
"properties": {
"kernel": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"family": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"platform": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
},
"dns": {
"properties": {
"op_code": {
"ignore_above": 1024,
"type": "keyword"
},
"resolved_ip": {
"type": "ip"
},
"response_code": {
"ignore_above": 1024,
"type": "keyword"
},
"question": {
"properties": {
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"subdomain": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"answers": {
"type": "object",
"properties": {
"data": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"class": {
"ignore_above": 1024,
"type": "keyword"
},
"ttl": {
"type": "long"
}
}
},
"header_flags": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"vulnerability": {
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"severity": {
"ignore_above": 1024,
"type": "keyword"
},
"score": {
"properties": {
"environmental": {
"type": "float"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"temporal": {
"type": "float"
},
"base": {
"type": "float"
}
}
},
"report_id": {
"ignore_above": 1024,
"type": "keyword"
},
"scanner": {
"properties": {
"vendor": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"description": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"category": {
"ignore_above": 1024,
"type": "keyword"
},
"classification": {
"ignore_above": 1024,
"type": "keyword"
},
"enumeration": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"message": {
"norms": false,
"type": "text"
},
"url": {
"properties": {
"extension": {
"ignore_above": 1024,
"type": "keyword"
},
"original": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"scheme": {
"ignore_above": 1024,
"type": "keyword"
},
"top_level_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"query": {
"ignore_above": 1024,
"type": "keyword"
},
"path": {
"ignore_above": 1024,
"type": "keyword"
},
"fragment": {
"ignore_above": 1024,
"type": "keyword"
},
"password": {
"ignore_above": 1024,
"type": "keyword"
},
"registered_domain": {
"ignore_above": 1024,
"type": "keyword"
},
"port": {
"type": "long"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"full": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"username": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"labels": {
"type": "object"
},
"tags": {
"ignore_above": 1024,
"type": "keyword"
},
"as": {
"properties": {
"number": {
"type": "long"
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"@timestamp": {
"type": "date"
},
"service": {
"properties": {
"node": {
"properties": {
"name": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"state": {
"ignore_above": 1024,
"type": "keyword"
},
"ephemeral_id": {
"ignore_above": 1024,
"type": "keyword"
},
"type": {
"ignore_above": 1024,
"type": "keyword"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"organization": {
"properties": {
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"http": {
"properties": {
"request": {
"properties": {
"referrer": {
"ignore_above": 1024,
"type": "keyword"
},
"method": {
"ignore_above": 1024,
"type": "keyword"
},
"bytes": {
"type": "long"
},
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"response": {
"properties": {
"status_code": {
"type": "long"
},
"bytes": {
"type": "long"
},
"body": {
"properties": {
"bytes": {
"type": "long"
},
"content": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
}
}
}
}
},
"version": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tls": {
"properties": {
"cipher": {
"ignore_above": 1024,
"type": "keyword"
},
"established": {
"type": "boolean"
},
"server": {
"properties": {
"not_after": {
"type": "date"
},
"ja3s": {
"ignore_above": 1024,
"type": "keyword"
},
"not_before": {
"type": "date"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"curve": {
"ignore_above": 1024,
"type": "keyword"
},
"client": {
"properties": {
"not_after": {
"type": "date"
},
"server_name": {
"ignore_above": 1024,
"type": "keyword"
},
"not_before": {
"type": "date"
},
"subject": {
"ignore_above": 1024,
"type": "keyword"
},
"supported_ciphers": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate": {
"ignore_above": 1024,
"type": "keyword"
},
"ja3": {
"ignore_above": 1024,
"type": "keyword"
},
"certificate_chain": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"issuer": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"next_protocol": {
"ignore_above": 1024,
"type": "keyword"
},
"resumed": {
"type": "boolean"
},
"version": {
"ignore_above": 1024,
"type": "keyword"
},
"version_protocol": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"threat": {
"properties": {
"framework": {
"ignore_above": 1024,
"type": "keyword"
},
"technique": {
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"tactic": {
"properties": {
"reference": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"user": {
"properties": {
"full_name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"fields": {
"text": {
"norms": false,
"type": "text"
}
},
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
},
"email": {
"ignore_above": 1024,
"type": "keyword"
},
"hash": {
"ignore_above": 1024,
"type": "keyword"
},
"group": {
"properties": {
"domain": {
"ignore_above": 1024,
"type": "keyword"
},
"name": {
"ignore_above": 1024,
"type": "keyword"
},
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"hash": {
"properties": {
"sha1": {
"ignore_above": 1024,
"type": "keyword"
},
"sha256": {
"ignore_above": 1024,
"type": "keyword"
},
"sha512": {
"ignore_above": 1024,
"type": "keyword"
},
"md5": {
"ignore_above": 1024,
"type": "keyword"
}
}
},
"transaction": {
"properties": {
"id": {
"ignore_above": 1024,
"type": "keyword"
}
}
}
}
},
"aliases": {}
}