diff --git a/x-pack/plugins/security_solution/cypress/integration/timelines/fields_browser.spec.ts b/x-pack/plugins/security_solution/cypress/integration/timelines/fields_browser.spec.ts index 5d4bbdde5620e..35f38db4f38d2 100644 --- a/x-pack/plugins/security_solution/cypress/integration/timelines/fields_browser.spec.ts +++ b/x-pack/plugins/security_solution/cypress/integration/timelines/fields_browser.spec.ts @@ -111,7 +111,7 @@ describe('Fields Browser', () => { filterFieldsBrowser(filterInput); - cy.get(FIELDS_BROWSER_SELECTED_CATEGORY_COUNT).should('have.text', '4'); + cy.get(FIELDS_BROWSER_SELECTED_CATEGORY_COUNT).should('have.text', '5'); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap new file mode 100644 index 0000000000000..1abe55b782c32 --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/__snapshots__/get_signals_template.test.ts.snap @@ -0,0 +1,4472 @@ +// Jest Snapshot v1, https://goo.gl/fbAQLP + +exports[`get_signals_template it should match snapshot 1`] = ` +Object { + "index_patterns": Array [ + "test-index-*", + ], + "mappings": Object { + "_meta": Object { + "version": 35, + }, + "dynamic": false, + "properties": Object { + "@timestamp": Object { + "type": "date", + }, + "agent": Object { + "properties": Object { + "build": Object { + "properties": Object { + "original": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ephemeral_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "client": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "bytes": Object { + "type": "long", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", + }, + }, + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "cloud": Object { + "properties": Object { + "account": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "availability_zone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "instance": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "machine": Object { + "properties": Object { + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "project": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "service": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, + }, + }, + "container": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "image": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "tag": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "labels": Object { + "type": "object", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "runtime": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "destination": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "bytes": Object { + "type": "long", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", + }, + }, + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "dll": Object { + "properties": Object { + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, + }, + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "dns": Object { + "properties": Object { + "answers": Object { + "properties": Object { + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "data": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ttl": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "object", + }, + "header_flags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "op_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "question": Object { + "properties": Object { + "class": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "resolved_ip": Object { + "type": "ip", + }, + "response_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ecs": Object { + "properties": Object { + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "error": Object { + "properties": Object { + "code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "message": Object { + "norms": false, + "type": "text", + }, + "stack_trace": Object { + "doc_values": false, + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "event": Object { + "properties": Object { + "action": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "created": Object { + "type": "date", + }, + "dataset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "duration": Object { + "type": "long", + }, + "end": Object { + "type": "date", + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ingested": Object { + "type": "date", + }, + "kind": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "module": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original": Object { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "outcome": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reason": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_norm": Object { + "type": "float", + }, + "sequence": Object { + "type": "long", + }, + "severity": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "url": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "file": Object { + "properties": Object { + "accessed": Object { + "type": "date", + }, + "attributes": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, + }, + }, + "created": Object { + "type": "date", + }, + "ctime": Object { + "type": "date", + }, + "device": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "directory": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "drive_letter": Object { + "ignore_above": 1, + "type": "keyword", + }, + "extension": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "gid": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "inode": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mime_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mode": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mtime": Object { + "type": "date", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "owner": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "size": Object { + "type": "long", + }, + "target_path": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "uid": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "x509": Object { + "properties": Object { + "alternative_names": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "issuer": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "public_key_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_exponent": Object { + "doc_values": false, + "index": false, + "type": "long", + }, + "public_key_size": Object { + "type": "long", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "signature_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "version_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "host": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "cpu": Object { + "properties": Object { + "usage": Object { + "scaling_factor": 1000, + "type": "scaled_float", + }, + }, + }, + "disk": Object { + "properties": Object { + "read": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + }, + }, + "write": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + }, + }, + }, + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hostname": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "network": Object { + "properties": Object { + "egress": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "packets": Object { + "type": "long", + }, + }, + }, + "ingress": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "packets": Object { + "type": "long", + }, + }, + }, + }, + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "uptime": Object { + "type": "long", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "http": Object { + "properties": Object { + "request": Object { + "properties": Object { + "body": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "content": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "bytes": Object { + "type": "long", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "method": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "mime_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "referrer": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "response": Object { + "properties": Object { + "body": Object { + "properties": Object { + "bytes": Object { + "type": "long", + }, + "content": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "bytes": Object { + "type": "long", + }, + "mime_type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status_code": Object { + "type": "long", + }, + }, + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "interface": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "labels": Object { + "type": "object", + }, + "log": Object { + "properties": Object { + "file": Object { + "properties": Object { + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "level": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "logger": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "origin": Object { + "properties": Object { + "file": Object { + "properties": Object { + "line": Object { + "type": "integer", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "function": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "original": Object { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "syslog": Object { + "properties": Object { + "facility": Object { + "properties": Object { + "code": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "priority": Object { + "type": "long", + }, + "severity": Object { + "properties": Object { + "code": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + "type": "object", + }, + }, + }, + "message": Object { + "norms": false, + "type": "text", + }, + "network": Object { + "properties": Object { + "application": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "bytes": Object { + "type": "long", + }, + "community_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "direction": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "forwarded_ip": Object { + "type": "ip", + }, + "iana_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "inner": Object { + "properties": Object { + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + "type": "object", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "packets": Object { + "type": "long", + }, + "protocol": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "transport": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "observer": Object { + "properties": Object { + "egress": Object { + "properties": Object { + "interface": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "zone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "object", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hostname": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ingress": Object { + "properties": Object { + "interface": Object { + "properties": Object { + "alias": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "zone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "object", + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "vendor": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "organization": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "package": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "build_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "checksum": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "install_scope": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "installed": Object { + "type": "date", + }, + "license": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "size": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "pe": Object { + "properties": Object { + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "process": Object { + "properties": Object { + "args": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "args_count": Object { + "type": "long", + }, + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, + }, + }, + "command_line": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "entity_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "executable": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "exit_code": Object { + "type": "long", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "parent": Object { + "properties": Object { + "args": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "args_count": Object { + "type": "long", + }, + "code_signature": Object { + "properties": Object { + "exists": Object { + "type": "boolean", + }, + "signing_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "status": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "team_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "trusted": Object { + "type": "boolean", + }, + "valid": Object { + "type": "boolean", + }, + }, + }, + "command_line": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "entity_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "executable": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "exit_code": Object { + "type": "long", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha512": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ssdeep": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "pgid": Object { + "type": "long", + }, + "pid": Object { + "type": "long", + }, + "ppid": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "thread": Object { + "properties": Object { + "id": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "title": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "uptime": Object { + "type": "long", + }, + "working_directory": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "pe": Object { + "properties": Object { + "architecture": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "company": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "file_version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "imphash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original_file_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "product": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "pgid": Object { + "type": "long", + }, + "pid": Object { + "type": "long", + }, + "ppid": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "thread": Object { + "properties": Object { + "id": Object { + "type": "long", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "title": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "uptime": Object { + "type": "long", + }, + "working_directory": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "registry": Object { + "properties": Object { + "data": Object { + "properties": Object { + "bytes": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "strings": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hive": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "key": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "value": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "related": Object { + "properties": Object { + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hosts": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ip": Object { + "type": "ip", + }, + "user": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "rule": Object { + "properties": Object { + "author": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "license": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ruleset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "uuid": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "server": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "bytes": Object { + "type": "long", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", + }, + }, + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "service": Object { + "properties": Object { + "ephemeral_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "node": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "state": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "signal": Object { + "properties": Object { + "_meta": Object { + "properties": Object { + "version": Object { + "type": "long", + }, + }, + }, + "ancestors": Object { + "properties": Object { + "depth": Object { + "type": "long", + }, + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "rule": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + }, + }, + "depth": Object { + "type": "integer", + }, + "group": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "integer", + }, + }, + }, + "original_event": Object { + "properties": Object { + "action": Object { + "type": "keyword", + }, + "category": Object { + "type": "keyword", + }, + "code": Object { + "type": "keyword", + }, + "created": Object { + "type": "date", + }, + "dataset": Object { + "type": "keyword", + }, + "duration": Object { + "type": "long", + }, + "end": Object { + "type": "date", + }, + "hash": Object { + "type": "keyword", + }, + "id": Object { + "type": "keyword", + }, + "kind": Object { + "type": "keyword", + }, + "module": Object { + "type": "keyword", + }, + "original": Object { + "doc_values": false, + "index": false, + "type": "keyword", + }, + "outcome": Object { + "type": "keyword", + }, + "provider": Object { + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_norm": Object { + "type": "float", + }, + "sequence": Object { + "type": "long", + }, + "severity": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "timezone": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + }, + }, + "original_signal": Object { + "dynamic": false, + "enabled": false, + "type": "object", + }, + "original_time": Object { + "type": "date", + }, + "parent": Object { + "properties": Object { + "depth": Object { + "type": "long", + }, + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "rule": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + }, + }, + "parents": Object { + "properties": Object { + "depth": Object { + "type": "long", + }, + "id": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "rule": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + }, + }, + "rule": Object { + "properties": Object { + "author": Object { + "type": "keyword", + }, + "building_block_type": Object { + "type": "keyword", + }, + "created_at": Object { + "type": "date", + }, + "created_by": Object { + "type": "keyword", + }, + "description": Object { + "type": "keyword", + }, + "enabled": Object { + "type": "keyword", + }, + "false_positives": Object { + "type": "keyword", + }, + "filters": Object { + "type": "object", + }, + "from": Object { + "type": "keyword", + }, + "id": Object { + "type": "keyword", + }, + "immutable": Object { + "type": "keyword", + }, + "index": Object { + "type": "keyword", + }, + "interval": Object { + "type": "keyword", + }, + "language": Object { + "type": "keyword", + }, + "license": Object { + "type": "keyword", + }, + "max_signals": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "note": Object { + "type": "text", + }, + "output_index": Object { + "type": "keyword", + }, + "query": Object { + "type": "keyword", + }, + "references": Object { + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_mapping": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "operator": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, + }, + }, + "rule_id": Object { + "type": "keyword", + }, + "rule_name_override": Object { + "type": "keyword", + }, + "saved_id": Object { + "type": "keyword", + }, + "severity": Object { + "type": "keyword", + }, + "severity_mapping": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "operator": Object { + "type": "keyword", + }, + "severity": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, + }, + }, + "size": Object { + "type": "keyword", + }, + "tags": Object { + "type": "keyword", + }, + "threat": Object { + "properties": Object { + "framework": Object { + "type": "keyword", + }, + "tactic": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "reference": Object { + "type": "keyword", + }, + }, + }, + "technique": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "reference": Object { + "type": "keyword", + }, + "subtechnique": Object { + "properties": Object { + "id": Object { + "type": "keyword", + }, + "name": Object { + "type": "keyword", + }, + "reference": Object { + "type": "keyword", + }, + }, + }, + }, + }, + }, + }, + "threat_filters": Object { + "type": "object", + }, + "threat_index": Object { + "type": "keyword", + }, + "threat_indicator_path": Object { + "type": "keyword", + }, + "threat_language": Object { + "type": "keyword", + }, + "threat_mapping": Object { + "properties": Object { + "entries": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, + }, + }, + }, + }, + "threat_query": Object { + "type": "keyword", + }, + "threshold": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "value": Object { + "type": "float", + }, + }, + }, + "timeline_id": Object { + "type": "keyword", + }, + "timeline_title": Object { + "type": "keyword", + }, + "timestamp_override": Object { + "type": "keyword", + }, + "to": Object { + "type": "keyword", + }, + "type": Object { + "type": "keyword", + }, + "updated_at": Object { + "type": "date", + }, + "updated_by": Object { + "type": "keyword", + }, + "version": Object { + "type": "keyword", + }, + }, + }, + "status": Object { + "type": "keyword", + }, + "threshold_count": Object { + "type": "float", + }, + "threshold_result": Object { + "properties": Object { + "cardinality": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "value": Object { + "type": "long", + }, + }, + }, + "count": Object { + "type": "long", + }, + "from": Object { + "type": "date", + }, + "terms": Object { + "properties": Object { + "field": Object { + "type": "keyword", + }, + "value": Object { + "type": "keyword", + }, + }, + }, + }, + }, + }, + }, + "source": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "bytes": Object { + "type": "long", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "postal_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ip": Object { + "type": "ip", + }, + "mac": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "nat": Object { + "properties": Object { + "ip": Object { + "type": "ip", + }, + "port": Object { + "type": "long", + }, + }, + }, + "packets": Object { + "type": "long", + }, + "port": Object { + "type": "long", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "user": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "span": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "tags": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "threat": Object { + "properties": Object { + "framework": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "indicator": Object { + "properties": Object { + "as": Object { + "properties": Object { + "number": Object { + "type": "long", + }, + "organization": Object { + "properties": Object { + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "confidence": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "dataset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "type": "wildcard", + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "properties": Object { + "address": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "event": Object { + "properties": Object { + "action": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "created": Object { + "type": "date", + }, + "dataset": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "duration": Object { + "type": "long", + }, + "end": Object { + "type": "date", + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ingested": Object { + "type": "date", + }, + "kind": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "module": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original": Object { + "doc_values": false, + "ignore_above": 1024, + "index": false, + "type": "keyword", + }, + "outcome": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reason": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "risk_score": Object { + "type": "float", + }, + "risk_score_norm": Object { + "type": "float", + }, + "sequence": Object { + "type": "long", + }, + "severity": Object { + "type": "long", + }, + "start": Object { + "type": "date", + }, + "timezone": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "url": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "first_seen": Object { + "type": "date", + }, + "geo": Object { + "properties": Object { + "city_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "continent_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "location": Object { + "type": "geo_point", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_iso_code": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "region_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "ip": Object { + "type": "ip", + }, + "last_seen": Object { + "type": "date", + }, + "marking": Object { + "properties": Object { + "tlp": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "matched": Object { + "properties": Object { + "atomic": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "field": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "module": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "port": Object { + "type": "long", + }, + "provider": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "scanner_stats": Object { + "type": "long", + }, + "sightings": Object { + "type": "long", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + "type": "nested", + }, + "tactic": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "technique": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subtechnique": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + }, + }, + "tls": Object { + "properties": Object { + "cipher": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "client": Object { + "properties": Object { + "certificate": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "certificate_chain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "issuer": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ja3": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "server_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "supported_ciphers": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "x509": Object { + "properties": Object { + "alternative_names": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "issuer": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "public_key_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_exponent": Object { + "doc_values": false, + "index": false, + "type": "long", + }, + "public_key_size": Object { + "type": "long", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "signature_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "version_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "established": Object { + "type": "boolean", + }, + "next_protocol": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "resumed": Object { + "type": "boolean", + }, + "server": Object { + "properties": Object { + "certificate": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "certificate_chain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "hash": Object { + "properties": Object { + "md5": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha1": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "sha256": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "issuer": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "ja3s": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "subject": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "x509": Object { + "properties": Object { + "alternative_names": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "issuer": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "not_after": Object { + "type": "date", + }, + "not_before": Object { + "type": "date", + }, + "public_key_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_curve": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "public_key_exponent": Object { + "doc_values": false, + "index": false, + "type": "long", + }, + "public_key_size": Object { + "type": "long", + }, + "serial_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "signature_algorithm": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subject": Object { + "properties": Object { + "common_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "country": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "distinguished_name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "locality": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organization": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "organizational_unit": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "state_or_province": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "version_number": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version_protocol": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "trace": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "transaction": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "url": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "extension": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "fragment": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "original": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "password": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "path": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "port": Object { + "type": "long", + }, + "query": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "registered_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "scheme": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "subdomain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "top_level_domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "username": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "user": Object { + "properties": Object { + "changes": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "effective": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "target": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "email": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full_name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "group": Object { + "properties": Object { + "domain": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "hash": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "roles": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "user_agent": Object { + "properties": Object { + "device": Object { + "properties": Object { + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "original": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "os": Object { + "properties": Object { + "family": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "full": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "kernel": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "platform": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "type": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "vlan": Object { + "properties": Object { + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "name": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "vulnerability": Object { + "properties": Object { + "category": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "classification": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "description": Object { + "fields": Object { + "text": Object { + "norms": false, + "type": "text", + }, + }, + "ignore_above": 1024, + "type": "keyword", + }, + "enumeration": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "reference": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "report_id": Object { + "ignore_above": 1024, + "type": "keyword", + }, + "scanner": Object { + "properties": Object { + "vendor": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "score": Object { + "properties": Object { + "base": Object { + "type": "float", + }, + "environmental": Object { + "type": "float", + }, + "temporal": Object { + "type": "float", + }, + "version": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + "severity": Object { + "ignore_above": 1024, + "type": "keyword", + }, + }, + }, + }, + }, + "settings": Object { + "index": Object { + "lifecycle": Object { + "name": "test-index", + "rollover_alias": "test-index", + }, + }, + "mapping": Object { + "total_fields": Object { + "limit": 10000, + }, + }, + }, + "version": 35, +} +`; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json index 70b62d569b9d3..2967f4cb725e7 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/ecs_mapping.json @@ -1,12 +1,37 @@ { + "index_patterns": [ + "try-ecs-*" + ], "mappings": { - "dynamic": false, + "_meta": { + "version": "1.9.0" + }, + "date_detection": false, + "dynamic_templates": [ + { + "strings_as_keyword": { + "mapping": { + "ignore_above": 1024, + "type": "keyword" + }, + "match_mapping_type": "string" + } + } + ], "properties": { "@timestamp": { "type": "date" }, "agent": { "properties": { + "build": { + "properties": { + "original": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "ephemeral_id": { "ignore_above": 1024, "type": "keyword" @@ -29,27 +54,6 @@ } } }, - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, "client": { "properties": { "address": { @@ -90,6 +94,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -109,6 +117,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -116,6 +128,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -146,6 +162,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -203,6 +223,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -215,6 +239,10 @@ "id": { "ignore_above": 1024, "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -242,6 +270,18 @@ } } }, + "project": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "provider": { "ignore_above": 1024, "type": "keyword" @@ -249,27 +289,14 @@ "region": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "code_signature": { - "properties": { - "exists": { - "type": "boolean" - }, - "status": { - "ignore_above": 1024, - "type": "keyword" - }, - "subject_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "trusted": { - "type": "boolean" }, - "valid": { - "type": "boolean" + "service": { + "properties": { + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -344,6 +371,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -363,6 +394,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -370,6 +405,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -400,6 +439,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -457,6 +500,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -469,6 +516,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -477,6 +528,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -502,6 +557,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -515,6 +574,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -527,6 +590,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -718,6 +785,10 @@ "ignore_above": 1024, "type": "keyword" }, + "reason": { + "ignore_above": 1024, + "type": "keyword" + }, "reference": { "ignore_above": 1024, "type": "keyword" @@ -765,6 +836,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -773,6 +848,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -828,6 +907,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -866,6 +949,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -878,6 +965,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -908,41 +999,112 @@ "uid": { "ignore_above": 1024, "type": "keyword" - } - } - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -962,42 +1124,52 @@ } } }, - "hash": { - "properties": { - "md5": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha1": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha256": { - "ignore_above": 1024, - "type": "keyword" - }, - "sha512": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "host": { "properties": { "architecture": { "ignore_above": 1024, "type": "keyword" }, - "domain": { - "ignore_above": 1024, - "type": "keyword" + "cpu": { + "properties": { + "usage": { + "scaling_factor": 1000, + "type": "scaled_float" + } + } }, - "geo": { + "disk": { + "properties": { + "read": { + "properties": { + "bytes": { + "type": "long" + } + } + }, + "write": { + "properties": { + "bytes": { + "type": "long" + } + } + } + } + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "geo": { "properties": { "city_name": { "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1017,6 +1189,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1024,6 +1200,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1046,6 +1226,30 @@ "ignore_above": 1024, "type": "keyword" }, + "network": { + "properties": { + "egress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + }, + "ingress": { + "properties": { + "bytes": { + "type": "long" + }, + "packets": { + "type": "long" + } + } + } + } + }, "os": { "properties": { "family": { @@ -1080,6 +1284,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1146,6 +1354,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -1175,10 +1387,18 @@ "bytes": { "type": "long" }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, "method": { "ignore_above": 1024, "type": "keyword" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "referrer": { "ignore_above": 1024, "type": "keyword" @@ -1207,6 +1427,10 @@ "bytes": { "type": "long" }, + "mime_type": { + "ignore_above": 1024, + "type": "keyword" + }, "status_code": { "type": "long" } @@ -1218,27 +1442,19 @@ } } }, - "interface": { - "properties": { - "alias": { - "ignore_above": 1024, - "type": "keyword" - }, - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "labels": { "type": "object" }, "log": { "properties": { + "file": { + "properties": { + "path": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "level": { "ignore_above": 1024, "type": "keyword" @@ -1427,6 +1643,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -1446,6 +1666,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -1453,6 +1677,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1542,6 +1770,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -1588,46 +1820,6 @@ } } }, - "os": { - "properties": { - "family": { - "ignore_above": 1024, - "type": "keyword" - }, - "full": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "kernel": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - }, - "platform": { - "ignore_above": 1024, - "type": "keyword" - }, - "version": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "package": { "properties": { "architecture": { @@ -1682,30 +1874,6 @@ } } }, - "pe": { - "properties": { - "company": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "ignore_above": 1024, - "type": "keyword" - }, - "file_version": { - "ignore_above": 1024, - "type": "keyword" - }, - "original_file_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "product": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "process": { "properties": { "args": { @@ -1720,6 +1888,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1728,6 +1900,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1780,6 +1956,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1807,6 +1987,10 @@ "exists": { "type": "boolean" }, + "signing_id": { + "ignore_above": 1024, + "type": "keyword" + }, "status": { "ignore_above": 1024, "type": "keyword" @@ -1815,6 +1999,10 @@ "ignore_above": 1024, "type": "keyword" }, + "team_id": { + "ignore_above": 1024, + "type": "keyword" + }, "trusted": { "type": "boolean" }, @@ -1867,6 +2055,10 @@ "sha512": { "ignore_above": 1024, "type": "keyword" + }, + "ssdeep": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -1880,6 +2072,38 @@ "ignore_above": 1024, "type": "keyword" }, + "pe": { + "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "pgid": { "type": "long" }, @@ -1930,6 +2154,10 @@ }, "pe": { "properties": { + "architecture": { + "ignore_above": 1024, + "type": "keyword" + }, "company": { "ignore_above": 1024, "type": "keyword" @@ -1942,6 +2170,10 @@ "ignore_above": 1024, "type": "keyword" }, + "imphash": { + "ignore_above": 1024, + "type": "keyword" + }, "original_file_name": { "ignore_above": 1024, "type": "keyword" @@ -2042,6 +2274,10 @@ "ignore_above": 1024, "type": "keyword" }, + "hosts": { + "ignore_above": 1024, + "type": "keyword" + }, "ip": { "type": "ip" }, @@ -2135,6 +2371,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2154,6 +2394,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2161,6 +2405,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2191,6 +2439,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2248,6 +2500,10 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } @@ -2329,6 +2585,10 @@ "ignore_above": 1024, "type": "keyword" }, + "continent_code": { + "ignore_above": 1024, + "type": "keyword" + }, "continent_name": { "ignore_above": 1024, "type": "keyword" @@ -2348,6 +2608,10 @@ "ignore_above": 1024, "type": "keyword" }, + "postal_code": { + "ignore_above": 1024, + "type": "keyword" + }, "region_iso_code": { "ignore_above": 1024, "type": "keyword" @@ -2355,6 +2619,10 @@ "region_name": { "ignore_above": 1024, "type": "keyword" + }, + "timezone": { + "ignore_above": 1024, + "type": "keyword" } } }, @@ -2385,6 +2653,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2442,11 +2714,23 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" } } } } }, + "span": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "tags": { "ignore_above": 1024, "type": "keyword" @@ -2457,147 +2741,9 @@ "ignore_above": 1024, "type": "keyword" }, - "indicator": { - "type": "nested", + "tactic": { "properties": { - "as": { - "properties": { - "number": { - "type": "long" - }, - "organization": { - "properties": { - "name": { - "fields": { - "text": { - "norms": false, - "type": "text" - } - }, - "ignore_above": 1024, - "type": "keyword" - } - } - } - } - }, - "confidence": { - "ignore_above": 1024, - "type": "keyword" - }, - "dataset": { - "ignore_above": 1024, - "type": "keyword" - }, - "description": { - "type": "wildcard" - }, - "domain": { - "ignore_above": 1024, - "type": "keyword" - }, - "email": { - "properties": { - "address": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "first_seen": { - "type": "date" - }, - "geo": { - "properties": { - "city_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "continent_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "country_name": { - "ignore_above": 1024, - "type": "keyword" - }, - "location": { - "type": "geo_point" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_iso_code": { - "ignore_above": 1024, - "type": "keyword" - }, - "region_name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "ip": { - "type": "ip" - }, - "last_seen": { - "type": "date" - }, - "marking": { - "properties": { - "tlp": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "matched": { - "properties": { - "atomic": { - "ignore_above": 1024, - "type": "keyword" - }, - "field": { - "ignore_above": 1024, - "type": "keyword" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "module": { - "ignore_above": 1024, - "type": "keyword" - }, - "port": { - "type": "long" - }, - "provider": { - "ignore_above": 1024, - "type": "keyword" - }, - "scanner_stats": { - "type": "long" - }, - "sightings": { - "type": "long" - }, - "type": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, - "tactic": { - "properties": { - "id": { + "id": { "ignore_above": 1024, "type": "keyword" }, @@ -2630,6 +2776,28 @@ "reference": { "ignore_above": 1024, "type": "keyword" + }, + "subtechnique": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "reference": { + "ignore_above": 1024, + "type": "keyword" + } + } } } } @@ -2692,6 +2860,112 @@ "supported_ciphers": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2752,6 +3026,112 @@ "subject": { "ignore_above": 1024, "type": "keyword" + }, + "x509": { + "properties": { + "alternative_names": { + "ignore_above": 1024, + "type": "keyword" + }, + "issuer": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "not_after": { + "type": "date" + }, + "not_before": { + "type": "date" + }, + "public_key_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_curve": { + "ignore_above": 1024, + "type": "keyword" + }, + "public_key_exponent": { + "doc_values": false, + "index": false, + "type": "long" + }, + "public_key_size": { + "type": "long" + }, + "serial_number": { + "ignore_above": 1024, + "type": "keyword" + }, + "signature_algorithm": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject": { + "properties": { + "common_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country": { + "ignore_above": 1024, + "type": "keyword" + }, + "distinguished_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "locality": { + "ignore_above": 1024, + "type": "keyword" + }, + "organization": { + "ignore_above": 1024, + "type": "keyword" + }, + "organizational_unit": { + "ignore_above": 1024, + "type": "keyword" + }, + "state_or_province": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "version_number": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2838,6 +3218,10 @@ "ignore_above": 1024, "type": "keyword" }, + "subdomain": { + "ignore_above": 1024, + "type": "keyword" + }, "top_level_domain": { "ignore_above": 1024, "type": "keyword" @@ -2850,10 +3234,130 @@ }, "user": { "properties": { + "changes": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "domain": { "ignore_above": 1024, "type": "keyword" }, + "effective": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, "email": { "ignore_above": 1024, "type": "keyword" @@ -2901,6 +3405,70 @@ }, "ignore_above": 1024, "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + }, + "target": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "ignore_above": 1024, + "type": "keyword" + }, + "full_name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "group": { + "properties": { + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "roles": { + "ignore_above": 1024, + "type": "keyword" + } + } } } }, @@ -2962,6 +3530,10 @@ "ignore_above": 1024, "type": "keyword" }, + "type": { + "ignore_above": 1024, + "type": "keyword" + }, "version": { "ignore_above": 1024, "type": "keyword" @@ -2974,18 +3546,6 @@ } } }, - "vlan": { - "properties": { - "id": { - "ignore_above": 1024, - "type": "keyword" - }, - "name": { - "ignore_above": 1024, - "type": "keyword" - } - } - }, "vulnerability": { "properties": { "category": { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts index 7139734f6f82f..9c39ad4ee3598 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.test.ts @@ -42,4 +42,9 @@ describe('get_signals_template', () => { const template = getSignalsTemplate('test-index'); expect(template.settings.mapping.total_fields.limit).toBeGreaterThanOrEqual(10000); }); + + test('it should match snapshot', () => { + const template = getSignalsTemplate('test-index'); + expect(template).toMatchSnapshot(); + }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts index 326d5777543be..0318218ed5900 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/get_signals_template.ts @@ -7,6 +7,7 @@ import signalsMapping from './signals_mapping.json'; import ecsMapping from './ecs_mapping.json'; +import otherMapping from './other_mappings.json'; /** @constant @@ -21,7 +22,7 @@ import ecsMapping from './ecs_mapping.json'; incremented by 10 in order to add "room" for the aforementioned patch release */ -export const SIGNALS_TEMPLATE_VERSION = 26; +export const SIGNALS_TEMPLATE_VERSION = 35; export const MIN_EQL_RULE_INDEX_VERSION = 2; export const getSignalsTemplate = (index: string) => { @@ -41,18 +42,19 @@ export const getSignalsTemplate = (index: string) => { }, index_patterns: [`${index}-*`], mappings: { - ...ecsMapping.mappings, + dynamic: false, properties: { ...ecsMapping.mappings.properties, + ...otherMapping.mappings.properties, signal: signalsMapping.mappings.properties.signal, threat: { ...ecsMapping.mappings.properties.threat, properties: { ...ecsMapping.mappings.properties.threat.properties, indicator: { - ...ecsMapping.mappings.properties.threat.properties.indicator, + ...otherMapping.mappings.properties.threat.properties.indicator, properties: { - ...ecsMapping.mappings.properties.threat.properties.indicator.properties, + ...otherMapping.mappings.properties.threat.properties.indicator.properties, event: ecsMapping.mappings.properties.event, }, }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json new file mode 100644 index 0000000000000..43bc1a548a6af --- /dev/null +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/routes/index/other_mappings.json @@ -0,0 +1,337 @@ +{ + "mappings": { + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "code_signature": { + "properties": { + "exists": { + "type": "boolean" + }, + "status": { + "ignore_above": 1024, + "type": "keyword" + }, + "subject_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "trusted": { + "type": "boolean" + }, + "valid": { + "type": "boolean" + } + } + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "hash": { + "properties": { + "md5": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha1": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha256": { + "ignore_above": 1024, + "type": "keyword" + }, + "sha512": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "interface": { + "properties": { + "alias": { + "ignore_above": 1024, + "type": "keyword" + }, + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "os": { + "properties": { + "family": { + "ignore_above": 1024, + "type": "keyword" + }, + "full": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "kernel": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + }, + "platform": { + "ignore_above": 1024, + "type": "keyword" + }, + "version": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "pe": { + "properties": { + "company": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "ignore_above": 1024, + "type": "keyword" + }, + "file_version": { + "ignore_above": 1024, + "type": "keyword" + }, + "original_file_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "product": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "threat": { + "properties": { + "indicator": { + "type": "nested", + "properties": { + "as": { + "properties": { + "number": { + "type": "long" + }, + "organization": { + "properties": { + "name": { + "fields": { + "text": { + "norms": false, + "type": "text" + } + }, + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "confidence": { + "ignore_above": 1024, + "type": "keyword" + }, + "dataset": { + "ignore_above": 1024, + "type": "keyword" + }, + "description": { + "type": "wildcard" + }, + "domain": { + "ignore_above": 1024, + "type": "keyword" + }, + "email": { + "properties": { + "address": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "first_seen": { + "type": "date" + }, + "geo": { + "properties": { + "city_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "continent_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "country_name": { + "ignore_above": 1024, + "type": "keyword" + }, + "location": { + "type": "geo_point" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_iso_code": { + "ignore_above": 1024, + "type": "keyword" + }, + "region_name": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "ip": { + "type": "ip" + }, + "last_seen": { + "type": "date" + }, + "marking": { + "properties": { + "tlp": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "matched": { + "properties": { + "atomic": { + "ignore_above": 1024, + "type": "keyword" + }, + "field": { + "ignore_above": 1024, + "type": "keyword" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + }, + "module": { + "ignore_above": 1024, + "type": "keyword" + }, + "port": { + "type": "long" + }, + "provider": { + "ignore_above": 1024, + "type": "keyword" + }, + "scanner_stats": { + "type": "long" + }, + "sightings": { + "type": "long" + }, + "type": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + }, + "vlan": { + "properties": { + "id": { + "ignore_above": 1024, + "type": "keyword" + }, + "name": { + "ignore_above": 1024, + "type": "keyword" + } + } + } + } + } +}